Twitch Oauth User Retrieval 401 with Spring Boot 2+

Hi all,

I’m new to this forum. Please forgive me on any inappropriate manners I may have in this question.

I have been using spring boot’s magic for single signon with twitch for a while (approx. 4 months) and never had any issue. However today when I tried to login using my own twitch account through my auth server I always get “401 Unauthorized” with no more detailed messages from twitch.

The following is my twitch oauth config in spring boot:

twitch:
client:
client-id: [xxxxxxxxxx]
client-secret: [xxxxxxxxxx]
access-token-uri: https://id.twitch.tv/oauth2/token
user-authorization-uri: https://id.twitch.tv/oauth2/authorize
client-authentication-scheme: form
resource:
user-info-uri: https://api.twitch.tv/helix/users
login_uri: /login/twitch

Blockquote
2018-07-22 16:34:35.315 WARN 4728 — [nio-8080-exec-9] o.s.b.a.s.o.r.UserInfoTokenServices : Could not fetch user details: class org.springframework.web.client.HttpClientErrorException, 401 Unauthorized

The “401” is coming from “GET https://api.twitch.tv/helix/users”.

The interesting thing is that I tried Postman client with the same setting and I was able to get my user details. I’m not sure if twitch changed something in API that wasn’t a requirement before now causing issues with my spring settings.

I really appreciate if someone could help me investigate this issue. Thanks in advance.

I just discovered that the token type returned from twitch is “bearer” notice the lower case. Then spring will compare this type against “Bearer” string but with insensitive. Therefore “bearer” is used in the “Authorization” header. But twitch doesn’t accept word “bearer” it has to be the camel case “Bearer”.

Alright guys, I have fixed my problem. The problem is that when you request access token from twitch using client id an secret with authorization_code, you will get the token with lower case “bearer” as name/type. If you are using spring, by default, spring will use whatever name/type that’s given, or it will set to “Bearer” if no name/type is given. In this case, however, the lower case “bearer” is given by twitch.

But if you use “bearer” along with the access token value to get user details (https://api.twitch.tv/helix/users), you will get “401” because this endpoint (could be other endpoints) only accept “Bearer” as token name/type. Only the camel case “Bearer” goes through. The lower case “bearer” will get your “401 Unauthorized”.

Apparently this has never happened before, it could be a recent change but this feels like a bug to me. Could someone else confirm this for me? Thanks in advance.

The following is my temporary solution. I had to create a custom authenticator instead of the default one and then assign it to the RestTemplate.

private class BearerTypeOAuth2RequestAuthenticator implements OAuth2RequestAuthenticator {

    @Override
    public void authenticate(OAuth2ProtectedResourceDetails resource, OAuth2ClientContext clientContext,
        ClientHttpRequest request) {
        OAuth2AccessToken accessToken = clientContext.getAccessToken();
        if (accessToken == null) {
            throw new AccessTokenRequiredException(resource);
        }
        request.getHeaders().set("Authorization", String.format("%s %s", OAuth2AccessToken.BEARER_TYPE, accessToken.getValue()));
    }
}

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.