Requiring OAuth for Helix Twitch API Endpoints

I’ve also put together an example of using serverless functions to make calls to the Helix API using OAuth, which is a way to make these calls securely and also for free

hope this helps make the switch easier for folks!

Emails were sent about it.

I highly recommend that you turn on email notifications for the Announcements category here on these forums. You can get an email when a new announcement is made, and only staff can make them so you wont be spammed.

There has been months of time to prepare, with messages both here on the forums and on the TwitchDev Discord server about this, scheduled windows where the change is temporarily live in the lead up to it going permanently live, and Twitch has tried to reach out to as many developers as they could by email who they saw would be impacted by this change.

Intermittently getting ‘Invalid authorization code’ requesting an Access Token today, though above info suggests changes are now permanent and the API settled. This happens both locally and on AWS Lambda.

Combined with the poor messaging given by the API I’m very frustrated with Twitch.

As a maintainer of an open source authentication library I dislike having to work to support specific providers because they don’t behave like other popular services; it’s made worse when the error handling isn’t helpful.

For example, the Google oAuth service links to relevant documentation from errors when there are changes to the API.

While the documentation is extensive, I have not found it all that helpful as pages are missing important information (which is sometimes on another page and sometimes undocumented except in an old forum post and you are left to wonder if it still applies to the current version of the API).

Being inconsistent with version naming and endpoints is also not ideal.

Which case here? As far as i know, the error messages returned in the 401 responses are pretty exlicit about what’s wrong.

So does the old API v3 when you try to contact it. It simply is not feasable to do that for this change as the Errors are not 100% obvious to be the source of an older application that missed the change - you are plain and simply not authorized correctly, so that’s what the API will tell you.

Yep, it’s unfortunate to call something “The new thing” (eyeing you there, passport-twitch-new and passport-twitch-newer), but this change has not affected the old API v5 at all and helix does not have any version numbers. (PubSub does, but has stayed relatively consistent within its v1)

I can understand why you are frustrated. How would you like Twitch to tell you about changes?

Oh and if you want some help debugging your issue, join us on the Discord!

I’m not getting the same behavior as you on AWS lambda and local.
Looks like you might have a problem on your code

I doubt that it’s with my code given the pattern I’m seeing.

For context, I’ve written several single sign on authentication platforms over the decades (clients and servers) and have learned to trust my hunches. I can see the HTTP responses sent out and coming back and the requests are not missing credentials or malformed.

My guess is either that Twitch is doing enforcing some weird rate limiting and handles it badly or it is just buggy, as the problem goes away after a while then resurfaces after it sees multiple login attempts (this is unique as no other mainstream oAuth provider does this).

It’s happening intermittently with Twitch and only on Twitch (locally and hosted). 7 different public oAuth providers (including Facebook, Google, Twitter, GitHub, Slack, Discord) are working 100% of the time.

Hi @iaincollins, I’m curious if you’d be ok with opening a new topic in /c/api to continue the conversion and help with troubleshooting. Just don’t want it to get lost in the announcement thread here. If so, please feel free to do so and link it here.

@jbulava Thanks, I’m just going to leave it and pop a warning in our open source library documentation and let anyone who might want to use it know that there are some issues with the Twitch API until further notice.

Ok. If helpful, you or other collaborators on the project can detail any odd behavior in a new topic at your convenience for us to look into. At this time, there are no noticeable interruptions or issues with the authentication flow.

if I’m using OAuth implicit code flow to get the access token for a client-side app (browser extension) how to check the access token expiration and how to refresh it without asking the user to log in again if he already authorized it before

You can check your current expiration by sending a GET request to the /validate endpoint. Beware that it expects the Authorization header to start with OAuth instead of Bearer.

that return expires_in: 0 ?
also, the expires_in not mentioned in the validate documentation

curl -H "Authorization: OAuth <access token>" https://id.twitch.tv/oauth2/validate
And here is a sample response:

{
  "client_id": "<your client ID>",
  "login": "<authorized user login>",
  "scopes": [
    "<requested scopes>"
  ],
  "user_id": "<authorized user ID>"
}

How old is your ClientID?

ClientID from 2016

Super old clientID’s (off hand I don’t recall the cut off but I think it was may 2018 or 2019 where expiring was introduced) can generate tokens that currently last forever/have no expires, that is why you have an expires_at of 0.

The documentation for the validate endpoint omits the key, as for the life of the API, it’s a recent addition (expiring tokens). At time of writing old ClientID’s can still generate (what I call) “god user tokens”, that last forever/have no expires (and where for normal oAuth you still do get a refresh token).

At some point Twitch will kill these old tokens and the ability to generate “God Tokens”

Has the “request” to fix the documentation

Now that the Helix OAuth changes have been in effect for a few days, we’re going to close out comments on this topic. Should you have further questions or troubleshooting related to these changes, please create a new topic in /c/api.