OIDC Authorization Code Flow - Missing id_token

Hello everyone!

I’m about to set up an OIDC authentication for my app. Therefore I tried it with the serverside flow (also known as “Authorization Code Flow”), but unfortunately I get only the OAuth2 access_token and refresh_token, opposed to the desired id_token. I followed also the documentation:

Is this a bug or do I something wrong?

Also refering to (sadly closed due no response):

Thank you in advance!
HaoRyan

Can you provide the POST that you’re sending (with all the secure bits removed)?

Sure! (Thank you for the fast answer btw :slight_smile:)

POST:

https://api.twitch.tv/kraken/oauth2/token?client_id=<clientid>&client_secret=<clientsecret>&code=<code>&grant_type=authorization_code&redirect_uri=<redirecturi>

Response:

{
    "access_token": "<accesstoken>",
    "refresh_token": "<refreshtoken>",
    "scope": [
        "openid"
    ]
}

Hello has this been resolved? I’m running into the same issue. The request documented here seems to be the same for the OIDC and the OAuth2 flow. I am not receiving the id_token (or even the expires_in), just the access_token, refresh_token, and scopes.

I have been able to work around the issue by using a response_type of “id_token code”, which interestingly enough gives a different result if I use a response_type of “code id_token”. The former uses the authorization code response, and the latter uses the implicit flow response. This seems to be a bug that should be looked at soon. Otherwise the whole system seems to be broken.

it works for me, what are you posting to the authorize endpoint?

just double checked this you are posting to https://api.twitch.tv/kraken/oauth2/token when you should be posting to https://api.twitch.tv/api/oauth2/token