Bad Request on OIDC Authorization Code Flow (step1)


I am pretty sure I haven’t fully understood or kinda integrated the stuff yet.

I try to automate step 1 of

Everything works fine when I put the following link
$authorize_url = ‘<client_id>&redirect_uri=<redirect_uri>&response_type=code&scope=’ . $client_scope . ‘&state=’ . $stateVal;
on a website and click on it.

Then I receive the access code etc.etc…

However, if I try to execute the following:

echo “Formulating authorization request…”;
$url = ‘’;
$data = array(‘client_id’ => $client_id, ‘redirect_uri’ => ‘redirect_uri’, ‘response_type’ => ‘code’, ‘scope’ => $client_scope, ‘state’ => $stateVal);

// use http even if you send requests to https://…
$options = array(
‘http’ => array(
‘header’ => array(
“Content-type: application/x-www-form-urlencoded”,
“Accept: application/vnd.twitchtv.v5+json”,
‘method’ => ‘GET’,
‘content’ => http_build_query($data)
echo “done.\n”;

echo “Opening stream context…”;
$context = stream_context_create($options);
echo “done.\n”;

echo “Receiving answer…”;
$result = file_get_contents($url, false, $context);
echo “done.\n\n”;

from a script, I receive “failed to open stream: HTTP request failed! HTTP/1.0 400 Bad Request”.

What am I doing wrong? Is it working at all like this from a script? (yes my file_get_contents is working with https. I, unfortunately, can’t use curl atm.).

  1. Don’t use file_get_contents use cURL. Just get cURL installed file_get_contents just is not save
  2. Whats the body response? (Not just the HTTP Code)
  3. It should be a ‘POST’ Not a ‘GET’
  4. see if anything relevant from this duplicate post OIDC Authorization - Bad Request - PHP
  1. As mentioned at the very end of my post, I use file_get_contents (working with https) as I, unfortunately, do not have access to curl atm.

  2. What do you mean by body response? The only thing I receive is:
    file_get_contents( failed to open stream: HTTP request failed! HTTP/1.0 400 Bad Request in …

  3. Why should it be ‘POST’? I am at step 1 ( which states:
    ‘GET …’

  4. As mentioned in ‘3.’ I am at step 1), i.e. ‘authorize’ not 3) ‘token’?!

Oh step 1? I skim read and jumped to step 3. As Step 3 is the cURL/exchange step. You shouldn’t be fetching the authorise url like this

Step 1 is a redirect. You send the user to that URL in order to authenticate and come back

So does that mean that I can’t automate that?

To maybe give a bit more background information, I try to create a service, that is running in the background and recognizes new subscribers.

I was wondering if I can “automate” step 1) at all. Or if it is neither required nor recommended.



See this section of the docs for collecting subscribers:


channel-subscribe-events-v1 from PubSub | Twitch Developers


1 Like

Thanks a lot. Having a look into those!!

If you need a user access token, you must have a user manually authorize the application. If app access token is suitable, that you can fully automate (but can’t access any users’ auth-gated resources, only the application’s itself).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.