No scopes are returned after POST /oauth2/token

I am passing the user_read scope to /oauth2/authorize, and the scope is provided to the callback URL after authorization by the user.

But when retrieving an OAuth token, the scope array is empty, and I cannot use the returned token to read the user information. A call to shows no scopes either.

On the other hand, this works with the implicit authorization flow.

Repro case:

  1. Create an application.
  2. Use the code flow to request auth with no scopes.
  3. Request auth with different scopes e.g. user_read.
  4. No scopes are returned with the OAuth key.
  5. Delete the app from your Connections:
  6. Request auth with user_read scope.
  7. OAuth key has correct scopes.

It seems that the scopes get “frozen” after auth is requested once, and the user has to delete the app connection to request more scopes.
Since my application originally requested no scopes, I could not request the user_read scope. After deleting the app from my connections, it works.

Recently my application requested folks to generate new OAuth keys for new scopes, and no one has reported an issue as such. Even for myself, I regenerated my OAuth and the new permission was working as expected. I do see my scope in the call to the API, but, I updated some time back.

When you are checking the API, are you checking immediately or after a few minutes just in case it is a caching item?

EDIT: Never mind, you are saying that you cannot even read user information, I missed that part. Sorry for the confusion.

Yes, someone else seems to be having the same issue too: Twitch OAuth returning stale scopes when using Authorization Code Flow

Thanks for the report! This should be fixed. Let me know if it isn’t.


Looks to be fixed by my testing. Thanks for the prompt response!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.