I am setting up Twitch as a Fusionauth “OpenID Connect” Identity Provider.
However, although I am specifying scopes like “user:read:email user_read user:edit openid” I am not receiving any kind of email attribute / info in the resulting ID token:
"aud" : "by8k3k9si129eydh9vspetbpgx0quc",
"exp" : 1569407637,
"iat" : 1569406737,
"iss" : "https://id.twitch.tv/oauth2",
"nbf" : null,
"sub" : "416027319",
"jti" : null,
"azp" : "by8k3k9si129eydh9vspetbpgx0quc",
"preferred_username" : "thauin"
It seems that Twitch requires claims to be sent as well (which is not supported by Fusionauth. it seems) and does not honor the given scopes, which it should:
Has anybody got some experience with this?
For openID you need to only specify the
openid scope and include claims to be sent.
The other scopes don’t apply to the openID response. These apply for the relevant endpoints
They have no effect on the openID response. openID requires claims to be passed.
Thanks for your answer. Do you work for Twitch? If yes, then please update the documentation, which is very misleading especially
https://dev.twitch.tv/docs/authentication/getting-tokens-oidc/#oidc-authorization-code-flow where it links to the scopes available – and doesn’t mention at all that all these scopes are not honored.
Furthermore you can resolve the
scope=<space-separated list of scopes> part with
scope=openid since any other scope isn’t supported
Do you work for Twitch?
If yes, then please update the documentation, which is very misleading especially
Getting Tokens: OIDC | Twitch Developers where it links to the scopes available – and doesn’t mention at all that all these scopes are not honored.
OpenID requires Claims as per the OpenID spec.
I do not see a fault in the documentation.
user:read:email (or the other user related scopes) does not grant access to the users email when calling OpenID and it’s user info endpoint, that requires a claim.
If you request the right claims then the userinfo endpoint will include that data.
if you include other scopes then you also get back a regular oAuth token that you can use against the none OpenID related endpoints.
state that the scope MUST include
scope string Space-separated list of
scopes. This must include the
if you include other scopes that doesn’t change the data openID returns, just gives you a standard oAuth token that can be used on the “regular” Twitch API
I understand, thanks for your help! Coming from a Fusionauth “way of doing things” I made some false assumptions but things are clearing up
Let’s see how they react to my issue raised there:
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.