Previous OAuth2 access tokens not being invalidated on reauthorization


The thread at Does creating an auth code invalidate old access_tokens? suggests that creating a new access token will invalidate any old access tokens that have previously been issued. However, I have been able to generate two access tokens for myself with the ‘chat_login’ scope that can both log into the IRC server and send and receive messages.

The app only shows up once in the Connections tab, and all these access tokens are invalidated correctly if I revoke access using that page. However, it seems off that the old access tokens aren’t invalidated as the linked thread indicates. Is this a bug?

Thank you,

- @Sophira.

For clarity: This is using the same client ID, of course.

This behavior changed sometime in the last year. Generating new tokens will no longer invalidate previous ones.

Thank you for the reply!

In that case, is there any way to request that a reauthorization should return a pre-existing access token if one exists and if Twitch would not ask again for permission anyway?

I’d like to be able to expire sessions after some time on a webapp I’m developing and as I understand it, the only way to get an access token from Twitch is through one of the authentication flows. I’m also very concerned about security and would much rather my users didn’t have multiple access tokens floating about which could theoretically be used along with my client ID to access their account.

I do understand that it’s impossible to programmatically request invalidations of access tokens (at least, that’s how I’m interpreting the line “…since there is not a way to log users out of the API.” in the authentication guide) and I think I understand the reasons for not offering a means to do so, but it would make a lot of sense that there would be a way to request an access token that already existed. Is this possible?

I’m not normally one to bump my own topics, but I think the topic of being able to request a pre-existing access code (or invalidating previous ones) instead of having to hoard session data to prevent multiple access tokens from existing is an important one.

Having multiple unnecessary access tokens existing for the same user/device on the same app, with all tokens able to be used and not being able to be invalidated, is a security issue. As far as I can tell, the only way to prevent this from occurring without implementing a local account system (which can defeat the point if you’re using Twitch as an identity provider as well) is to extend the lifetime of the session to absurd levels - and of course even that doesn’t help if the user clears their cookies.

If there isn’t a means to request a pre-existing token or to invalidate a previous one, I’d like to request that this be considered. Thank you!

[edit: Of course, if one could request an expiration to be set on access tokens you receive, that would also work. This could be done on the page that allows you to regenerate your client secret, for example; that way you don’t need to worry about adding to the OAuth2 protocol.]


Is there a more appropriate venue where I should be asking these questions?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.