{ status: 400, message: 'Invalid authorization code' } (OAuth authorization code flow)

Versifiction · April 12, 2021, 3:11pm

Hello, it’s me again,

I succeeded to display moderators of a channel on my website, :
1/ the user arrives in my landing page
2/ directly, he gets redirected to the twitch popup asking if he accepts the access to his account
3/ after he accepted, he gets redirected on my website
4/ the moderators datas appears

BUT I wanted to know if the following behaviour is normal :
5/ if the user goes on another page of the website and comes back on the landing page, moderators datas dont appear anymore

I have the { status: 400, message: 'Invalid authorization code' } error in my backend.
It looks like I’m forced to make the Twitch popup appears everytime the user wants to see the datas. However the token is still passed as code property of the https://id.twitch.tv/oauth2/token request. A token can’t be reused ?

BarryCarlyon · April 12, 2021, 3:14pm

You tried to exchange the ?code for a token again

if you are doing the redirect I descirbed here

That may suggest your redirect is not removing the ?code and your code is trying to code exchange again.

Or you are storing the ?code in your session, instead of the resulting token, and trying to exchange the ?code again, rather than just using the access token generated from the code exchange flow

Versifiction · April 12, 2021, 3:15pm

Even if I don’t remove the ?code of the URL, when I reload the page it makes the data disappear. It works the first time then the https://id.twitch.tv/oauth2/token request don’t work anymore, even if there’s the token in the code property

BarryCarlyon · April 12, 2021, 3:16pm

Then you are not storing the access_token in your session in order to reload and use that access_token

Or the user is leaving the site and the cookie is dying in order to reload the session

Versifiction · April 12, 2021, 3:17pm

I think I’m confused between the different names : access_token, code, token… I’ll keep looking

BarryCarlyon · April 12, 2021, 3:20pm

access_token and token are used interchangably

code is used to exchange for a token / access_token

That resulant access_token is what you store in your session and recall from the session for subsequent requests

Versifiction · April 12, 2021, 3:41pm

first, thank you for the time you’re spending on my issues

ok my missing part is your last 2 lines, to store the access token in a session…
do you know if I can find NodeJS implementations/packages about this ?

BarryCarlyon · April 12, 2021, 3:43pm

Since I use express I use express-session

system · May 12, 2021, 3:43pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.