Authentication with Twitch throws error with scope field in id token #413

42LinesOfCode · 2025-01-22T19:24:21Z

42LinesOfCode
Jan 22, 2025

Hi,

I'm experimenting with Twitch as issuer and tried to setup the auth code flow according to phx_gen_oidcc.

I was always getting an the error {:invalid_property, {:scope, ["openid"]}}
As I wrote test code to better understand the flow better by hand and got that working successfully, I had a pretty good understanding that the configuration, callbacks, etc were correctly setup.

After a couple of hours of inspecting the code (I don't know much about Erlang), I found the error in oidcc_token.erl

extract_scope(TokenMap, Opts) ->
    Scopes = maps:get(scope, Opts, []),
    case maps:get(<<"scope">>, TokenMap, oidcc_scope:scopes_to_bin(Scopes)) of
        ScopeBinary when is_binary(ScopeBinary) ->
            {ok, oidcc_scope:parse(ScopeBinary)};
        ScopeOther ->
            {error, {invalid_property, {scope, ScopeOther}}}
    end.

I suspected that twitch sends non conforming tokens back: i.e. the scope field is not supposed to be send as an array(?). So I added another case into the function:

extract_scope(TokenMap, Opts) ->
    Scopes = maps:get(scope, Opts, []),
    case maps:get(<<"scope">>, TokenMap, oidcc_scope:scopes_to_bin(Scopes)) of
        ScopeBinary when is_binary(ScopeBinary) ->
            {ok, oidcc_scope:parse(ScopeBinary)};
        ScopeList when is_list(ScopeList) ->
            {ok, ScopeList};
        ScopeOther ->
            {error, {invalid_property, {scope, ScopeOther}}}
    end.

And it worked. I should've probably used scopes_to_bin but this was just a quick way to try to make it work.

Is this an issue on Twitch's end? Wouldn't be the first thing, they do "differently".
And is there anything I can do outside of this "hack"? Or did I do something horribly wrong?

oidcc version

3.26

Elixir version

1.18.1-otp-27

Answered by maennchen

Jan 22, 2025

I think this is an error on the Twitch side. This lib is following RFC 8693:

4.2. "scope" (Scopes) Claim

The value of the scope claim is a JSON string containing a space-separated list of scopes associated with the token, in the format described in Section 3.3 of [RFC6749].

However: This is not formally specified inside the OpenID Specification and apparently Apple also does this.

A PR with your change (including a comment to explain why and a small test) would be welcome.

View full answer

maennchen · 2025-01-22T19:38:05Z

maennchen
Jan 22, 2025
Maintainer

I think this is an error on the Twitch side. This lib is following RFC 8693:

4.2. "scope" (Scopes) Claim

The value of the scope claim is a JSON string containing a space-separated list of scopes associated with the token, in the format described in Section 3.3 of [RFC6749].

However: This is not formally specified inside the OpenID Specification and apparently Apple also does this.

A PR with your change (including a comment to explain why and a small test) would be welcome.

1 reply

maennchen Sep 3, 2025
Maintainer

Fix implemented in #469

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Authentication with Twitch throws error with scope field in id token #413

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

Authentication with Twitch throws error with scope field in id token #413

Uh oh!

Uh oh!

42LinesOfCode Jan 22, 2025

oidcc version

Elixir version

Replies: 1 comment · 1 reply

Uh oh!

maennchen Jan 22, 2025 Maintainer

Uh oh!

maennchen Sep 3, 2025 Maintainer

42LinesOfCode
Jan 22, 2025

Replies: 1 comment 1 reply

maennchen
Jan 22, 2025
Maintainer

maennchen Sep 3, 2025
Maintainer