Revocation of identity linking: Opposite of requestIdShare()?


#1

Is there a way to tell when a user has removed identity linking from your extension? After a successful requestIdShare() call, you can get the user id from the JWT. I am trying to figure out how to know when the user removes id sharing so I can abide by the following developer agreement policies:

Twitch Developer Agreement, section VI Data Policy:
E : “You may not continue to associate a user ID with an end user if he or she un-authenticates from your App.”

F : You must delete all data collected upon termination of the Agreement, revocation or reduction in scope of end user authorization, or upon Twitch’s request, and cause any affiliates or third parties with whom you have shared copies to do the same.


#2

No

There is no notification on revocation, so the normal practice wrt to e/f is that if you’ve not seen the user for a week or so, you delete the data. It’s a bit of a grey area and with extensions you are not keeping anything really user identifiable that is not public anyway

Edit: not a lawyer!


#3

Correct there is no notification

You can use the is_unlinked value in the JWT to see if they have now unlinked their account. This would however mean tracking opaque_user_id alongside the user_id which doesn’t change for a logged in user.

As you say though there are grey areas legally which like you I cannot answer


#4

And if you did track that, you would be unable to detect they unlinked until they revisit your extension and/or there are probably, other reasons for an unlink to occur.