Extensions requesting oAuth from viewers

tom_dev · March 31, 2020, 12:52pm

Hi guys,

Just looking for some confirmation from the Twitch team in regards to Twitch extensions requesting oauth from the viewers (not within the config).

I’ve read numerous threads that are a few years old that cite

Extensions may not request or require OAuth permissions from extension viewers.

And the guidelines document Extensions Guidelines & Policies | Twitch Developers however it doesn’t appear that line now features in the guidelines.

Does this mean we can now request oauth from viewers in extensions?

jbulava · March 31, 2020, 6:22pm

Hi @tom_dev, we do not have a policy restricting OAuth in an Extension for viewers.

tom_dev · April 1, 2020, 8:23am

Thanks @jbulava, do this mean from overlay extensions we’re able to redirect off to a separate oauth flow, redirecting back to the extension (i believe we’d have to redirect back into the extension EBS instead of directly back into the extension?)

BarryCarlyon · April 1, 2020, 9:18am

Video/Component overlay extensions, at time of writing, cannot link out at all. (There are exceptions to this rule)

But yes the correct flow would be

Link out (making a new window)
Users clicks yes/no
User is redirect back to your EBS
EBS handles final steps of oAuth

tom_dev · April 1, 2020, 9:47am

@BarryCarlyon what would the exceptions be?

To give some context: we’d be optionally allowing users to oauth with our internal platform which allows preferences around games to be set and analytic tracking across the other applications they may be accessing the service from.

BarryCarlyon · April 1, 2020, 9:49am

Borderlands 3 extension and Amazon Blacksmith have working Links on video extensions, I do not.

That’s the exception to the rule. (The Exceptions are entity’s not ways that other entities can link out).

tom_dev · April 2, 2020, 8:45am

@BarryCarlyon @jbulava ok so its more of just a “who you are” kind of thing.

Does this mean then unless we’ve got explicit permission from Twitch the above mentioned user flow for oauth wouldn’t get accepted as an extension?

Dist · April 2, 2020, 12:23pm

If Twitch haven’t specifically allowed your video overlay or component view to have a whitelisted link, then that link will simply be blocked by the iframe. So your extension could maybe still go through review but the OAuth link in the video view will never work as it wasn’t whitelisted.

BarryCarlyon · April 2, 2020, 12:28pm

It also won’t work in testing/hosted test (may in localtest *citation not provided), so you extension would get rejected due to broken functionality.