Twitch Authorization Code is saved in Cookies


#1

Hi there,

Scenario:

  1. 1st user logged into our native app and connects our User ID with Twitch User ID - Authorization is successful
  2. 1st user logs out of our app
  3. 2nd user logged into our native app, on the same device, using different ID and tries connecting to Twitch his own Twitch ID

Result - Twitch Auth page opens and closes in a matter of second, not allowing the user to get to the Twitch authorization page.

It feels like when the 1st user authorized, Twitch has written the cookie for future seamless navigation. However, this makes it troubling for when multiple users operate same device.

Please, advise if there is anything we might be missing.

Thank you in advance.


#2
Optional Parameter Type Description
force_verify boolean Specifies whether the user should be re-prompted for authorization. If this is true, the user always is prompted to confirm authorization. This is useful to allow your users to switch Twitch accounts, since there is no way to log users out of the API. Default: false (a given user sees the authorization page for a given set of scopes only the first time through the sequence).

Set force_verify to true in your redirect to twitch


#3

thanks for the quick response!
We have looked into it…but, we have the following concern:

  1. if 2nd user wants to abuse our app, he will click ‘yes, that’s me’ and pretend that he is a 1st user
  2. in the near future, when we add the live stream, would that mean that the user will have to authorize in Twitch every time in order to be able to see the live streams?

#4

No because they’ll login as the second user.

This occurs because they already granted authorization to your app and there is nothing “new” to accept, unless you set force_verify


#5

“No because they’ll login as the second user.” - this means that even if 2nd user clicks ‘yes, that’s me’ Twitch will verify if this user id has already signed in?


#6

If user a hits “yes thats me” in the authorise dialog, you’ll be returned a code for that user.

If user b on the same computer goes to your site and the authorise dialog, they’ll go “oh thats not me, why did my friend leave themelseves logged into their twitch account on my computer” and hit logout to login as themseleves and they be sent back to yoru website with a code for user b

You ave over thinking this security matter.


#7

I might, but we would like to treat our users to connect their user id’s to Twitch. And i am trying to avoid the possible abuse of this treat campaign…

Do you mind explaining what will happen if user B clicks ‘yes’ in this case, please?


#8

You are over thinking the issue of when there are two or more users on the same computer.

There isn’t anything to fix here


#9

Alright, thank you for the quick responses.