[Solved] Keycloak for login with twitch: is twitch's oidc auth flow json non-standard?

deef0000dragon1 · August 26, 2020, 5:21am

I am attempting to implement login with twitch using keycloak, and I was wondering if anyone else has successfully used it? I have managed to finally get through most of the flow, but unfortunately keycloak throws an error as it attempts to parse the returned json access/refresh/id tokens. It appears that while twitch uses an array of scope strings in it’s token json, as far as I can tell from looking through the keycloak code base and several other oidc providers, the default appears to be a single space separated string. (oidc auth flow step 4 for the json I am referring to)

Has anyone else encountered this issue implementing login with twitch? Im seeing at least two other posts by @cryptearth here and @gonzalo_lallena here encountering the same issue, however both are using a java library. I’m wondering if this is more a java/library/implementation thing, or more a twitch thing.

edit: keycloak’s access token response object for anyone who wants to take a look

BarryCarlyon · August 26, 2020, 9:19am

This was raised and answered on the GitHub

github.com/twitchdev/issues

oauth2 not possible with google-oauth-java-client

opened 03:48PM - 13 Jul 20 UTC

closed 05:42PM - 20 Aug 20 UTC

n0xena

product: authentication

please see: https://github.com/googleapis/google-oauth-java-client/issues/487 p…ossible cause of issue: token endpoint return scopes as array with single space separated string ``` "scope": ["scopes"] ``` but google-oauth-lib actually expects just space separated string without the array brackets around it ``` "scope": "scopes" ``` don't know if root cause of issue is caused by bad json implementation in googles lib or on twitch reply

Thanks for your feedback regarding the scope format. While we strive to follow RFCs as closely as possible, occasionally deviations do occur. Changing our scope value from an array to a space-separated string would be a significant breaking change for existing applications. Making this change to be inline with the RFC does not outweigh the disruption it will cause, so we will not be updating the format in the current implementation. This may be something to consider in a future implementation, but as there is no action at this time, this issue will be closed.

deef0000dragon1 · August 26, 2020, 2:57pm

I was not aware (or forgot, one of the two) that resource existed. Cool.

As to the response, I am not surprised that it cant be changed for compatibility reasons. (Though I did post a reply asking if it could be bodged.) I am surprised that it existed as a problem in the first place, but this thread really isn’t the place to go bemoaning twitch’s API life-cycle.

Thanks for the quick reply.

deef0000dragon1 · September 8, 2020, 2:24am

For anyone who finds this in the future running into the same problem, I have written a small service that can act as an in-between and will mutate the responses returned by twitch to something that keycloak can read.
The github repo is avaliable here and the standalone docker container is streemtech/twitchfix

system · October 8, 2020, 2:24am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.