[SOLVED] BUG: Authorization 'not you?' link redirects to homepage

If my app takes a user to https://api.twitch.tv/kraken/oauth2/authorize to authorize and they click the ‘not you?’ link to authorize someone other than their current login, it sends them to https://www.twitch.tv/logout?return_to=https%3A%2F%2Fapi.twitch.tv%2Fkraken%2Foauth2%2Fauthenticate%3Faction%3Dauthorize

This should log out the current user and take the browser back to an authorization page with a login box but it’s now a 301 Moved Permanently redirect that just dumps them at https://www.twitch.tv/

This completely breaks the authorization flow. All of the redirection information and the app’s client ID is lost during the redirect.

Do you have your actual auth link we can try? I just tried on one of my sites and the ‘not you?’ seems to work as expected.

Sure. Auth link was:


‘not you?’ link was:


Note: This is for a desktop app (yet another bot) so I’m not passing state because there’s no CSRF to worry about and the redirect_uri goes nowhere (404) because I intercept as soon as a redirect to that URL occurs in my app’s dialog.

Okay…that actually works in my browser. But not in my app.

So the bug is on my end and something to do with the Chromium I’m using in my app. I’ll make a note here when I get to the bottom of it.

Weirder and weirder. Clicking the link in my browser submits a POST request(!) but in Chromium does the expected GET request instead.

Javascript error?

The chromium is not grabbing and running all the javascript that runs in browser? And thus the form submission is not being blocked and rerouted via POST?

Oh yes:

global-8383a26….js:1 Uncaught ReferenceError: jQuery is not defined
    at global-8383a26….js:100:

Well that’s gonna be a problem…

Fault was at my end in my choice of development tools; namely Electron.

By default Electron spawns new browser windows with some Node.js libraries already loaded in them. When Twitch’s page tries to load jQuery, jQuery helpfully tries to play along by exporting itself as a Node module rather than a global object. Unfortunately a global object is exactly what Twitch’s JS wanted and it fails to load with jQuery is not defined.

This means that the ‘not you?’ link which uses jQuery to act like a form submit rather than a hyperlink behaves like a link and doesn’t submit the right information to Twitch. Twitch in turn handles this with a Hail Mary redirect to the homepage.

The fix was:

var authWindow = new BrowserWindow({
	webPreferences: {
		nodeIntegration: false

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.