"user/logout" and "user/reset_password" pages are broken

This is not an Twitch API issue per se, so feel free to direct me to the correct place to raise this issue.

As of yesterday (AFAIK) the following url twitch.tv/user/logout no longer works.

I use this url before a user authorizes a 3rd party application (OAuth). Because the url shows a I'M SORRY, THAT PAGE IS IN ANOTHER CASTLE! message and doesn’t actually log the user out, the authorization process I’m using is broken and users can’t authorize at all.

The password reset page is broken as well: https://www.twitch.tv/user/reset_password.

Password reset form should operational again.

Well I’m really only interested in the /user/logout page, but I happened to noitice the /user/reset_password was broken as well.

I literally got swamped with e-mails from users this morning having issues. One of my apps has around 50k users, so no surprise there… Just hope this gets resolved soon.

The removal of /user/logout is not a bug. That url was deprecated and was removed in favor of /logout. Furthermore, we have never supported external sites forcibly logging out users.

Wow… RIP 50k users…

And this is not about an external site, but 3rd party applications that require multiple authorizations, such as a chat token generator and a desktop dashboard.

1 Like

Well, more shenanigans.

/logout doesn’t actually log the user out, at least not when called from within an AIR application. Neither does it log me out when I visit that page directly in Chrome. I get redirected to the twitch home page but remain logged in.

When you guys mess things up, you sure mess things up good…

So to clarify, without the ability to log a user out, authorization is currently broken.
Calling https://api.twitch.tv/kraken/oauth2/authorize?response_type=token when the current logged in user has already authorized, redirects the user to the end page and basically skips authorization. Meaning that a user is not able to authorize multiple accounts.
This worked in the past (and has for years) by calling /user/logout when a user had already authorized one account. This is now no longer possible.

1 Like

Yeah, this is breaking a lot of things.

There’s currently no way to force a user to select which username is authenticating when he/she already has in the past and is also logged in to Twitch, as you’ll always get authenticated as the logged in user without even getting the auth screen.

So say you use a web browser embed for your desktop app to authenticate users. Now after the user first authenticates he/she can’t authenticate as a different user until the Twitch login cookie expires…

This is a huge problem.

@Fugiman Is there any way you guys can add a param to authentication that forces the auth screen, and so that it doesn’t automatically redirect?

1 Like

This. Google has this, I suggest something similar: https://developers.google.com/identity/protocols/OAuth2WebServer#redirecting See the approval_prompt param

2 Likes

This needs to happen, plain and simple.

In the meantime, put /user/logout back in place so that users can actually authorize 3rd party apps.

We recognize that the inability to force the user to verify the authorization is a problem for multi-user scenarios. We are investigating the optimal solution, but do not have an ETA for an official fix.

In the mean time, the only workaround I can propose is that if you are embedding the browser in your application, you might be able to clear all browser cookies, which would log the user out. If there is no API to clear cookies, perhaps re-instantiating the browser would work?

For me at least, that’s unfortunately not possible. And I believe some anti-virus software will freak out for where it is possible. Just changing some CSS in the embed is enough for some to freak out.

In other words, things are broken and won’t be fixed any time soon… that’s what I’m reading there… thanx for nothing…

Seriously… put /user/logout temporarily back in place so things at least work as they used to. Right now apps are literally broken and non functional, which is unacceptable.

There’s is no workaround… if there was one I wouldn’t be here in the first place.

We’ve added a force_verify parameter to our OAuth /authorize endpoint. It’ll show the authorize screen even for users who have already authenticated your application. Just add force_verify=true to your request. For example: TMI Token generator with force_verify=true

Does that work for you?

4 Likes

Just tested it and it works great, thanks! Took me like 10 seconds to patch as well.

That should come in handy, thanks.

Btw, one tiny thing: At the bottom of the Authorization page it says “You can revoke access to any application at any time from the Applications tab of your Settings page.”, shouldn’t that be “Connections tab”?

Doesn’t seem to work 100% for me at least. Adding the force_verify parameter does show the authorization page, but when a user is already logged in and has to click the “not you?” link, the process gets stuck at http://api.twitch.tv/kraken/base.

When sending the user back to the first url, he/she is still logged in.

Mind you, it works fine when I test it in Chrome for instance, but it doesn’t work when running it in Adobe AIR (desktop app).

Thanks, we’ve updated this text.

Clicking the logout link runs a Javascript callback that submits a form POST to the logout url with a CSRF token. It sounds like you’re just following the link directly? Redirecting to /kraken/base is a bug, but just going to the link isn’t going to work.

I’m not following any links directly. I’m simply displaying the /oauth2/authorize page, with the new force_verify parameter. When a user is logged in (browser cookie - which is not under my control) the authorization page now displays properly (because of the new parameter). The page will display the logged in user name followed by a Not You? link. It is when clicking that link the user is supposed to be logged out and redirected to the initial authorization page, asking for user credentials. This still doesn’t happen. The /kraken/base redirect seems to have been fixed, but I’m now being redirected to the twitch home page and I’m still logged in.

So whatever /logout is doing differently than /user/logout, it is not working.

Are there any Javascript errors? /logout is working correctly, but for some reason the Javascript callback to submit the form isn’t being run in your app so the right parameters aren’t being sent. The form is #logout_form, does submitting that manually work?

Do you have a way I can reproduce?

Earlier today I did get some weird page with a JSON that just displayed in the browser {error: null, …} and two other keys that I can’t remember. They all had null values. That was after using the “Not you?” link.

After that one time I tried to reproduce it though, but had no luck. All was done in an incog window, in Chrome.