Refusing the oauth2 authorize step always displays a warning screen instead of redirecting

Hello there,

I’ve been working on a small website, on which I’ve implemented a OIDC connection with Twitch.

I’ve created an application, got both my client_id and client_secret, and specified my OAuth redirect urls to http://localhost:3000/auth/twitch/callback.

When clicking on the connect with twitch button on my website, the user is successfully redirected to the authorize screen on Twitch (URL like https://id.twitch.tv/oauth2/authorize?response_type=code&client_id=xxxxxxxxxxx&redirect_uri=http://localhost:3000/auth/twitch/callback&scope=openid).

At this step, the user can either click on Authorize to accept my app to get its information, or click on Cancel to refuse.

When accepting, the user is successfully redirected to my website, on the page specified in the redirect_uri parameter, which in my case is http://localhost:3000/auth/twitch/callback.

However, when clicking on Cancel to refuse, I’m always having this screen, noticing the user he’s about to leave the website to a domain not being controlled by Twitch:

The Continue button is redirecting me on this page : http://localhost:3000/auth/twitch/callback?error=access_denied&error_description=The user denied you access&state=xxxxxxx, which is the same url that is allowed in my OAuth Redirect URLs.

So, I’ve already seen this page when the redirect_uri was not allowed in my OAuth Redirect URLs, but in this case, the url is the same one for a success or a failure.

Having a doubt about the http and localhost, I’ve also tried using ngrok + https, but got exactly the same issue.

The last thing that made me believe it was a “normal” behavior from Twitch was when I’ve created my account here on https://discuss.dev.twitch.tv/ using my twitch account, and refusing at first to simulate the same thing, and this also showed that same screen.

Is this a normal behavior ? Have I missed something ?
I couldn’t find anything on Twitch dev documentation or on the forum (if I missed it, sorry).
Thanks in advance!

Weird but otherwise normal.

Thanks for your answer.

If I understand you right, there is nothing to do about this and it will stay like this then ?
Since other OAuth2 providers like Facebook, Google etc… handle this “cancel” case correctly and redirect right away, I was wondering if Twitch was aware of this or if there was to way to let them know, so it can be improved/fixed in the future. Any idea ?

There is nothing you can change your side to prevent this screen. So shrug

To my knowleges there is nothing “wrong” with this in regards to the oAuth specification.

Given they built this flow and this screen is a recent additional in general they are probably aware

If you think it’s a bug then you can file a bug report - Issues · twitchdev/issues · GitHub

Ok got it thanks.

Indeed it’s not a bug, I just think it could be improved in that regard, but this is a personal opinion.
I didn’t know it was added recently, thanks for letting me know. I think I’ll just let it go for now and see how Twitch continues working on this.

Thanks for taking the time to explain and answer.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.