Client credentials tokens expire too soon

Hi everyone,

I’m currently working on a chrome extension to get notifications when some streamers start their streams. The extension is quite old now (I’ve started it under the kraken API and then migrate to helix). Recentlty Twitch change their policy on authentication and it’s now mandatory for every call.

So in order to keep my extension up and running I’ve added a mechanism to get token through the OAuth client credentials process. This part of my code works well, I’m using AWS Lambda to generate the tokens.

However I’ve some trouble with the expires_in field. Firstly, this field is weirdly random arround 5000000 (shouldn’t this be a static value ?). But more importantly, if I convert the number of seconds in days I get something arround 60 days, which fits with the documentation:

App access tokens expire after about 60 days

However after only 1 days the token seems expired, every call to the API return this error

{"error":"Unauthorized","status":401,"message":"Invalid OAuth token"}

Why do my tokens expire after such a short time ?

I imagine the following scenario applies

You generated 25 tokens
When you generated the 26th
It killed the 1st.

You need to change your code to generate one token reuse that token till is expires.

Somewhere it seems you are regenerating tokens but still using the first generated token instead of the last. Or you have other code running with the clientID/secret thats maxing you active token count

I hope AWS is doing the calls to the API for you too, you don’t want to be leaking your oAuth to uses of your chrome extension

The lambda is only communicating to, the calls to are executed from the extension (I know that it can induce some security issue where the token generated for my extension could be used by other people but I count on CORS to protect my Lambda from being accessed by other services).

Well the problem is that I have thousand of users that uses my extension (so there is a lot of token issued). I know that client credentials is not the best OAuth flow for what I’m doing but I don’t want the user to authenticate themselves on the extension (authorization grant, implicit, …), it’s supposed to be a simple extension that read only public information (is a streamer on or off)

From what I’m understanding of your answer, I supposed I should create an intermediate API that handles the authentication through client credentials and then forward the response of the request of

Thanks for your answer

But they can extract the Credential from the chrome extension, you may be violating the developer agreement by leaking your Credential publically.

I can install your chrome extension, grab you ClientID and Token from the network tools, and now I am making requests as you

You need caching, most streamer data isn’t gonna change more than once per 24 hours, (display_name/login/profile image), sure total followers is gonna change, but cache that for 30 minutes instead perhaps

Fetch one streamer, and return that streamer from your cache, negating the need to hammer the Twitch API as you already have the data.

The problem is that with Lambda you can’t do caching, you’ll need to use dynamodb or any other database.
But since I will have to store my tokens I supposed I will be forced to use these DBs so I will be able to add cache but I wouldn’t be able to cache the response of the calls more than 1 minute because I need to alert the users as soon as the streamer start its stream. (If I cache for 30 minutes, the notifcation could be emitted up to 30 minutes later)

I know I could use the webhooks but its way too complicated to implement with Lambda and again its just a simple chrome extension, I don’t want to create a monster of code that takes me 1 week to update and get it up and running (and probably cost me few dollars on AWS).

Having a simple dynamoDB table will save you a lot of troubles, and there is a free tier and DynamoDB

Simply do not cache when the stream is not live then :slight_smile: and only cache when it’s live

Webhook are pretty simple to set up with lambda, you just need an API gateway and a cron job to make sure your subscription do not expire.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.