Status 401 invalid CSRF token

I’m worried if I’m going to necro old threads so I’m going to make a new one, even though this issue has been appearing for multiple people and I don’t think they are covering my situation.

I’m referring to the old thread that the user attempted to auth through python

I’m using both Firefox and a fresh Chrome install (I heard firefox users are prone to this error more) to try and run my implicit grant flow auth and while in the middle of it, I get the mentioned error in the title.

I just have a simple html page with one button that has users connect to their twitch account with the following link. I attempted this while in my local server I setup with python3

https://id.twitch.tv/oauth2/authorize?response_type=token&client_id=${clientId}&redirect_uri=http://localhost:8000&scopes=user%3Aread%3Afollows&response_type=token

I wasn’t sure if response_type was necessary but I read it in the prior thread so I added it, but no difference.

In the documentation, the optional “state” mentions that it isn’t necessary but the only place that mentions CSRF which gives me reason to think this is where we plug in the CSRF token. But if we can’t even log into twitch without the token, are we supposed to login with another flow before we login to this flow?

Another thought I had is to use another flow but I’m not sure if it’ll give me what I am looking for, so I’ll ask anyone who is an expert in the different flows that could help what I’m looking for:

I’m looking for a flow that is User Access since I will be pulling the user’s follow list of streamers that are actively streaming.

  • Implicit seems to fit the bill perfectly since I made a very basic HTML page with a js backend to embed twitch streams via manual input of streamer names.
  • Client Cred Grant isn’t User Access so pass on this.
  • Auth Code seems like its for more than just a simple site like mine, so not really necessary but will consider if other options are preventing the easy way through.
  • Device Code seems like it is my second option as I run my page with “limited input capabilities” but I also ran into a separate issue of trying to pull the user_id. Won’t go into too much detail unless this is a better route, then I can pursue this path.

Thank you for your time, I appreciate all help, I also am adding I’m still fairly new to the API game, have been since last year and still struggling with the wonders of what sort of sorcery APIs require to use.

It’s a can’t fix, it’s a weird session issue, generally in firefox, which could be solved with a full logout of twitch and back in again but sometimes doesn;t

I tried to enter the auth in Chrome, would that not help? It never asked for a login, it just straight up told me the error and never logged into twitch on that browser.

If Implicit Grant isn’t viable, is it possible then to use the other flows that doesn’t use CSRF? Like Device Code?

They all use CSRF

if the login/logout of twitch itself trick is not working then something in your environment could be interferring such as prefetch, or a malfunctioning browser or extension, or the use of a VPN or TOR

Thats the basica list of things to try but theres no concrete fix due to lack of reliable repro case

Ah darn. The lack of mentioning CSRF made me hope for the other options. Interesting how we got other programs to work while we’re in the dark somehow.

Oh that is also possible, I was running these calls while on my job internet and currently on a hotel wifi. I’ll give it a shot when I go home.