The last few days, I got the DCF working for my C++ game engine. There is still something I just can’t wrap my head around.
bro_a : broadcaster account
bot_a : bot account
I would like to have my bot’s username in the chat, so I follow the process:
Create bot Twitch account: bot_a
Create “Public Client Application” XYZ in bot account
Using XYZ’s client_id for DCF
Request verification_uri for user_code
Browse verification_uri and log in with bro_a
Activate user_code
7.0 The “Authorize” page says, that application XYZ wants to access your account, displaying bro_a(not bot_a) underneath with all the scopes the bots needs.
7.1 Followed by pressing the “Authorize” button
My C++ application loops as long as “authorization_pending” is sent while trying to get the user_token
Eventually, authorization went through and my bot logs into the chat.
Log into the chat with NICK bot_a into channel #bro_a. Here comes the problem:
The bot is registered as bro_a and not as bot_a!
Some forum threads and the docs talk about the auth token being connected to the user authorizing, so I tried step 5. with not logging in as bro_a but as the bot itself, so essentially authorizing its own client application to access bro_a’s chat. That worked actually, but I do not understand it.
If I look in my connections in the setting with my bro_a account, the bot_a client application is not connected, but the bot can do stuff, like sending announcements or write into the chat with its username… The client application is actually connected in the bot_a account. How can this be?
If I allow the Twitch Developer to access my account I do log in with my account bro_a, right?
Sure, but at the moment, my bot is connected/authorized to its own client application but still can act on my chat!
Say I would like to pass the bot to someone else, bro_b, who wants to authorize the bot with all the scopes in order do deploy its features, bro_b would also log in with bro_b’s account and authorize the bot through the verification_uri, right?
Ok. Lets consider this endpoint: https://api.twitch.tv/helix/chat/announcements
It requires the broadcaster_id and the moderator_id and the scope moderator:manage:announcements in the user token.
In my case, broadcaster_id is my id, and moderator_id is the bots id.
In my account, I do not have the connection to the bots client application which I used to get the user token with the scopes. And yet, the bot can send to this endpoint successfully.
But technically, if the bot’s client application is not connected in my account, doesn’t that mean, the bot does not have been authorized to do this action?
Requires a user token from moderator_id with the scope moderator:manage:announcements
The user moderator_id needs to be a moderator of the destination channel broadcaster_id
No authentication from the broadcaster is needed beyond the broadcaster having given the user the rank of moderator on the broadcasters channel.
A user has given the clientIID permission for the clientID to operate on their account.
The clientID can only send an announcment to a channel, if the user in the token is also a moderator of the destination channel.
So if your tried to use this endpoint to send to /twitch you would get the error of the moderator in the token is not a moderator of /twitch
Two tokens are not required, just the token for the user that wants to send an announcement. As the broadcaster already gave the user permission to send announcements by making the user a a moderator.
IE the moderator can send announcements as the moderator is a moderator of the destination cahnnel
So on your channel you have given the bot user the role of moderator.
And the bot user has given permission to the ClientID to act on it’s behalf.
Ok. I just tried the bot on someones channel(I kindly asked before!). And the bot was able to log into that users channel chat and post a PRIVMSG message.
I initially thought the scopes are there for the user to allow the bot, via the authorization page, to act in certain ways, like posting on the user channel chat.
Ok. That changes things. So if I would like to make my bot act on behalf of another user bro_b, bro_b needs to add my bot as a moderator first, otherwise, I can only do simple postings to the chat and reading the chat, depending on what the scopes allows for, right?
A clientID can act as whatever user is in the token being used.
To send a PRIVMSG over IRC as a user doesn’t require any permissions from the broadcaster. You only need the user token for the user you want to send messages as.
Sending announcements as a user needs the user to be a moderator on the destination channel, but you would still have the announcement be authored by the user in the token you have not another user, like you wrote.
I think you got confused over ownership of the clientID.
The scopes dictate what permissions are on a token.
A token belongs to a user.
The owner of the ClientID jsut doesn’t matter.
When you generate a token for a user, you can only act as the user in the token, not another user.
The bot is just another user.
If foo grants the clientID bar a token then you can do whatever as foo but you can’t do anything as the user that owns the clientID.
Like if you login to my ClientID as your bot on say this code example Twitch Implicit Auth Example that returns a token for your bot that I don’t see.
But if you change the scopes that that tool puts on the token (to say include the announcement sending scope we discussed) then you have a Token that represents your bot, using my clientID, that can send announcements to a channel if your bot is a moderator there.
I can’t now magically start sending stuff to a chat as your bot. And your token can’t start magically sending stuff to any chat as me the owner of the clientID.
Your program might have a token for your bot account and a token for user bro_b
So then your program can use whatever token it needs to do whatever it is you want to do.
So depends here if you mean bot as in the program or bot as in another user. Which I don’t think you do.
So no beign a moderator doesn’t matter here. It was only relevant for for the example of sending announcements.
as to send announcements via the API requires
a token from the user that wants to send the announcement
that user to also be a moderator on the destination channel.
Since you are doing a game.
You can’t operate how you want to operate as there is no way for this to work:
I download your game
I open the game
I DCF as your bot
As I don’t have your bot’s username and password and 2FA token.
So we’ll take this back to the beginning:
You are making a game
It is not possible under this flow to send messages to the channel as your bot as there is no way to authenticate the bot to the players computer.
So for a game to read/write to a channel you would have to be read/writing as the broadcaster.
I download the game
I open the game
I login to the game as me as I have my username/password (and not your bots)
The game sends to chat as me as thats the only token it’s possible to get.
If you wanted to send to the channel as the bot
I download the game
I open the game
I login to the game as me as I have my username/password
When something needs to be sent to the channel as your bot
The game notifies your server of a message to send
Your server sends to the channel as your bot as you have the bots token securely held on your server.
And to keep things simple we are ignoring a special case that can allow this but doesn’t apply for your described use case and authentication flow as it doesn’t apply in your security context. (Since said special case will require a server and can’t be done in pure DCF)
Twitch Developer is the name of the ClientID.
It is the program behind the clientID that does stuff.
The Developer Console uses the Code Grant flow.
There is no developer user
Everywhere I’ve said “bot” in this post has generally mean the user, not the program.
And I think thats where some confusion might have stemmed from.
The program will operate as the token it has on file.
So when you oAuth you connect a user to the clientID and the resultant token representing a user is what messages sent in a channel will use as a username. The user within the token.
The name of the ClientID and the owner of the ClientID does not matter.
The Twitch Developer account is the owner of the token?
There is no Twitch Developer account in this scenario. Just a client ID called “Twitch Developer”.
The program behind it will hold onto the token and use the token.
The token the program has on file has access to those scopes to do whatever.
Like if you go to Twitch Implicit Auth Example and click the second link, that grants the program, in this case the Javascript on the page, permission to read your (verified) email address from the Twitch API when it calls the Get Users Endpoint. (Until you reload the page and the program is restarted and the token is lost.
You got me there. Well, I edited, because I found that previous post you made to be clarifying afterwards.
Thanks anyway @BarryCarlyon for all the time you put into my problem! It helped me very much to understand it better and getting rid of my previous mindset of the DCF.
The DCF works perfectly for me and I think I can do what I wanted to do with it!