Problems understanding oauth authentication

Hello there!

I need help with the oauth authentication… I use a dedicated twitch account for my bot. I have a client_id, client_secret, and and oauth:<token> to connect to the IRC and that works just fine.

Now I want to make my bot channel point redemption aware, and for this I need to subscribe to the pubsub_topic, for which I totally and utterly fail to get the token. I have read the documentations on the different outh auth flows, tried and failed so many things… From what I understand I must authenticate my bot account on my broadcaster account to read the channel point redemtions.

For that I added https://twitchapps.com/tokengen/ as the redirect URL to my bot’s app over at https://dev.twitch.tv/console/apps (on the bot’s twitch account), and then accessed /tokengen from a browser session with my broadcaster account, entered my bot’s app client_id, entered channel:read:redemptions as scope and authenticated my bot user to read channel point redemtions on my broadcaster account. I get a token back, but regardless if I enter that as <token> or oauth:<token> in my code, I always get

{'type': 'RESPONSE', 'error': 'ERR_BADAUTH', 'nonce': '<nonce>'}

as an answer.

I have the feeling that I took a wrong turn somewhere, but can’t see where…

I think my errors are before the code, with the authentication. Things I don’t understand (yet): do I need a separate redirect_uri for my bot (which is basically just a user reacting to commands and hopefully channel point redemptions)? If not, how can I allow my bot user to read the channel point redemptions using the pubsub_topic?

Cheers
Attention Horse

First off, don’t use other peoples generators.

The best advice here is to create the loop on your own server.

Second off, this generates an implicit oAuth token, which when it dies, means you need to manually recreate the token.

If you used “regular” oAuth on a server you control, you’ll get a refresh token which you can use to generate a new token automatically.

This sounds like you logged in as your bot, which means you granted the bots user client ID to read the bot users redemptions.

When you need to login as you.

You need to create a link betwee your application and your broadcaster account
In order to read the broadcaster accounts redemptions

Doesn’t matter who own’s the clientID. (People generally do not have bot accounts own clientID’s, they attach clientID’s to a “real” user for easier managment of applications/clientID’s)

If you take the token and call the validate endpoint

The user_id returned in the result needs to be the broadcasters user_id. I anticipate the token you have will return the bot’s user_id instead. which is your problem.

So essentially, there should be no bot user involved here at all.

TLDR: You need to generate a token for the broadcaster. Owner of the client_id is irrelevant.

Hey Barry :slight_smile:

thanks for the quick reply :slight_smile:

I got to the page where twitch asked me if I wanted to grant my bot’s user the permission to access the channel points on my broadcaster account (or I again don’t understand :sweat_smile:)

I will look into this again and skip my bot user for the time being and use an app connected to my broadcaster account.

Cheers
Attention Horse

You should get a page similar to: (depending on scopes requested)

In this example, my Application is called the same as my bot (appended with services), but the logged in user/avatar is my broadcaster account.

But this is granting my application (not the user) to access my account.

Your wording here is misleading since an application is not a “user”.

Which topic are you trying to listen on?

I try to listen to channel-points-channel-v1:

request_data = {
    "client_id": CLIENT_ID,
    "client_secret": CLIENT_SECRET,
    "grant_type": "client_credentials",
    "scope": "channel:read:redemptions",
}
AUTH_TOKEN_ANSWER = json.dumps(
    requests.post("https://id.twitch.tv/oauth2/token", data=request_data).json()
)
print(AUTH_TOKEN_ANSWER)
AUTH_TOKEN = json.loads(AUTH_TOKEN_ANSWER).get("access_token")
pubsub = await bot.pubsub_subscribe(
    AUTH_TOKEN, f"channel-points-channel-v1.{CHANNEL_ID}"
)

The page I saw was similar (AHGBotty wants to access your account attention_horse_germany)

So the better wording is I want to have my app read the channel points on my channel?

Will look into your link and test things, I’ll be back asap :slight_smile:

client_credentials is for server to server requests (generally) for public data only. Channel points is priviledged data.

This generates a token that doesn’t have a user, you need to use regular oAuth. And the token returned by the oAuth flow (step 3 in)

You can confirm a userID is in the token with the validate endpoint

1 Like

Okay, got this figured out :smiley: Thanks for the links :slight_smile: Got successfully subscribed with the app to the pubsub topic for channel point redemptions :slight_smile:

  1. Open https://id.twitch.tv/oauth2/authorize?client_id=$client_id&redirect_uri=http://localhost&response_type=code&scope=channel:read:redemptions%20chat:read in browser
  2. Get the ?code= from the URL
  3. Paste the code to and curl -X POST https://id.twitch.tv/oauth2/token?client_id=$client_id&client_secret=$client_secret&code=$code&grant_type=authorization_code&redirect_uri=http://localhost
  4. Use the access_token as header “Authorization: OAuth $access_token” oatn https://id.twitch.tv/oauth2/validate
  5. ???
  6. Profit!

Everytime I was so confused on the redirect_uri that I totally ignored what was in the parameters when I opened the link in step 1.

What also helped understanding was this blog post: https://blog.twitch.tv/en/2019/11/06/twitch-authentication-understanding-which-protocol-and-flow-is-right-for-you/

Issue resolved for me :slight_smile: