Openid connect issues (using Fusionauth) -- scopes are not provided

tauinger-de · September 25, 2019, 11:51am

I am setting up Twitch as a Fusionauth “OpenID Connect” Identity Provider.

However, although I am specifying scopes like “user:read:email user_read user:edit openid” I am not receiving any kind of email attribute / info in the resulting ID token:

{
  "aud" : "by8k3k9si129eydh9vspetbpgx0quc",
  "exp" : 1569407637,
  "iat" : 1569406737,
  "iss" : "https://id.twitch.tv/oauth2",
  "nbf" : null,
  "sub" : "416027319",
  "jti" : null,
  "azp" : "by8k3k9si129eydh9vspetbpgx0quc",
  "preferred_username" : "thauin"
}

It seems that Twitch requires claims to be sent as well (which is not supported by Fusionauth. it seems) and does not honor the given scopes, which it should: https://dev.twitch.tv/docs/authentication/#scopes

Has anybody got some experience with this?

BarryCarlyon · September 25, 2019, 11:59am

For openID you need to only specify the openid scope and include claims to be sent.

The other scopes don’t apply to the openID response. These apply for the relevant endpoints

user:read:email → Reference | Twitch Developers
user_read → Reference | Twitch Developers
user:edit → Reference | Twitch Developers

They have no effect on the openID response. openID requires claims to be passed.

tauinger-de · September 25, 2019, 12:39pm

Thanks for your answer. Do you work for Twitch? If yes, then please update the documentation, which is very misleading especially https://dev.twitch.tv/docs/authentication/getting-tokens-oidc/#oidc-authorization-code-flow where it links to the scopes available – and doesn’t mention at all that all these scopes are not honored.

Furthermore you can resolve the scope=<space-separated list of scopes> part with scope=openid since any other scope isn’t supported

BarryCarlyon · September 25, 2019, 1:37pm

No

OpenID requires Claims as per the OpenID spec.

I do not see a fault in the documentation.user:read:email (or the other user related scopes) does not grant access to the users email when calling OpenID and it’s user info endpoint, that requires a claim.

If you request the right claims then the userinfo endpoint will include that data.

if you include other scopes then you also get back a regular oAuth token that you can use against the none OpenID related endpoints.

The docs

state that the scope MUST include openid

scope string Space-separated list of scopes. This must include the openid scope.

if you include other scopes that doesn’t change the data openID returns, just gives you a standard oAuth token that can be used on the “regular” Twitch API

tauinger-de · September 25, 2019, 2:08pm

I understand, thanks for your help! Coming from a Fusionauth “way of doing things” I made some false assumptions but things are clearing up

Let’s see how they react to my issue raised there: https://github.com/FusionAuth/fusionauth-issues/issues/308

system · October 25, 2019, 2:08pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.