[Solved] Keycloak for login with twitch: is twitch's oidc auth flow json non-standard?

I am attempting to implement login with twitch using keycloak, and I was wondering if anyone else has successfully used it? I have managed to finally get through most of the flow, but unfortunately keycloak throws an error as it attempts to parse the returned json access/refresh/id tokens. It appears that while twitch uses an array of scope strings in it’s token json, as far as I can tell from looking through the keycloak code base and several other oidc providers, the default appears to be a single space separated string. (oidc auth flow step 4 for the json I am referring to)

Has anyone else encountered this issue implementing login with twitch? Im seeing at least two other posts by @cryptearth here and @gonzalo_lallena here encountering the same issue, however both are using a java library. I’m wondering if this is more a java/library/implementation thing, or more a twitch thing.

edit: keycloak’s access token response object for anyone who wants to take a look

This was raised and answered on the GitHub

Thanks for your feedback regarding the scope format. While we strive to follow RFCs as closely as possible, occasionally deviations do occur. Changing our scope value from an array to a space-separated string would be a significant breaking change for existing applications. Making this change to be inline with the RFC does not outweigh the disruption it will cause, so we will not be updating the format in the current implementation. This may be something to consider in a future implementation, but as there is no action at this time, this issue will be closed.

I was not aware (or forgot, one of the two) that resource existed. Cool.

As to the response, I am not surprised that it cant be changed for compatibility reasons. (Though I did post a reply asking if it could be bodged.) I am surprised that it existed as a problem in the first place, but this thread really isn’t the place to go bemoaning twitch’s API life-cycle.

Thanks for the quick reply.

For anyone who finds this in the future running into the same problem, I have written a small service that can act as an in-between and will mutate the responses returned by twitch to something that keycloak can read.
The github repo is avaliable here and the standalone docker container is streemtech/twitchfix