Bad auth token

[ikonkere]

As of today i get this response trying to download a VOD:

Contacting Twitch Server

tokenAPILink: https://api.twitch.tv/api/vods/509622116/access_token?&client_id=aokchnui2n8q38g0vezl9hq6htzy4c

Sig: <nil>, Token: <nil>

usherAPILink: http://usher.twitch.tv/vod/509622116?nauthsig=&nauth=&allow_source=true

Usher API response:

<table border="1"><tr><td><b>url</b></td><td>/vod/509622116?nauthsig=&lt;nil&gt;&amp;nauth=&lt;nil&gt;&amp;allow_source=true</td></tr>
<tr><td><b>error_code</b></td><td>nauth_sig_invalid</td></tr>
<tr><td><b>type</b></td><td>error</td></tr>
<tr><td><b>error</b></td><td>Bad auth token</td></tr></table>

map[]

Have you (or Twitch) changed the way auth works?

[ikonkere]

If i go to https://api.twitch.tv/api/vods/509622116/access_token?&client_id=aokchnui2n8q38g0vezl9hq6htzy4c it says

{"error":"Gone","status":410,"message":"this API has been removed."}

Ah, it might be the same as https://github.com/ArneVogel/concat/issues/59, so i;ll wait for a few hours to see if this goes away.

[jtguibas]

Use Twitch.tv's client ID from their website--it will work.

[ikonkere]

What does that even mean? client_id is hardcoded by the author, he should change it if it doesn't work.

And it still doesn't work, which has most likely to do with removal of the old API: https://dev.twitch.tv/docs/authentication#sending-user-access-and-app-access-tokens

[jtguibas]

Apparently, Twitch has stopped supporting this end point for 3rd-party client ids. You need to steal Twitch’s client if you want to use this endpoint.

On Tue, Nov 19, 2019 at 10:10 PM Yog-Sothoth notifications@github.com wrote:

What does that even mean? client_id is hardcoded by the author, he should change it if it doesn't work. And it still doesn't work.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/ArneVogel/concat/issues/61?email_source=notifications&email_token=AGEK43O3W4GPFLXPWXCIZGDQUTIE5A5CNFSM4JPGNUS2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEEQ2ZLY#issuecomment-555855023, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGEK43J5ZDYFWULYYKVOMSDQUTIE5ANCNFSM4JPGNUSQ

[ikonkere]

I don't think so. The docs imply they just changed the way authentication works, vod-secure.twitch.tv URLs with stream content are still available, even without any access tokens.

[jtguibas]

You're totally right about this. I'm just relaying the information from other Twitch apps that are facing the same problem. Someone at Twitch seems to be playing around with the levers concerning permissions between first-party and third-party client IDs. api.twitch.tv/api/ endpoints aren't actually meant to be used by 3rd-party people, these endpoints have historically just been discovered by people.

[ikonkere]

these endpoints have historically just been discovered by people.

Hehe, these inventive people.

As far as i've investigated without touching the code, Usher API also works, so we need to just adapt to the new id.twitch.tv (https://dev.twitch.tv/docs/authentication) authentication API.

[ArneVogel]

You can now use specify your own client-id with the -client-id flag. With this I didnt encounter any problems. The flag is introduced in v0.3.0

[DPTJKKVH]

@ArneVogel I get the exact same Auth Token like you did in your guide. (second screenshot)

Call me crazy but I'd say that this Auth Token is not personalized but a static Token everyone gets who is not logged into Twitch.

Can someone else please confirm? If so the (new?) Auth Token could simply be hard coded into concat.

[ikonkere]

Same for me.

But i can confirm that hardcoding kimne78kx3ncx6brgo4mv6wki5h1ko to https://github.com/ArneVogel/concat/blob/b48d682a270f2f050f19542e6791fd4053df8e82/main.go#L46 fixes the issue even in the old codebase that i forked 1.5 years ago.

[ikonkere]

It should be said that @ArneVogel must think about migrating to new API anyway ;).

[ArneVogel]

@DPTJKKVH I thought about that but I dont know how long that id is valid. I dont want to create a new release for every new id. Thats why I added the option to pass it as command line argument.

@ikonkere I am not using concat myself any longer so I dont plan on migrating to the new API before the current fix doesnt work any longer.

[ikonkere]

@ArneVogel unfortunate, but i guess it will have to do for now.

[DPTJKKVH]

@ArneVogel I understand, especially if it changes every couple of weeks.

A suggestion: How if you mark this as an possible inclusion for the next release (whenever it will come). If the API key didn't change until then it should be reasonable to assume that it won't change very often.

Either way it wouldn't be a big deal for everyone using Concat since (simply by being a terminal application) this project does not target very casual users.

PS: Thank you very much for still supporting this project even though you don't use it yourself anymore. This is very kind of you!

[ikonkere]

@DPTJKKVH OAuth 2.0 specification suggests that a clientId never changes unless a client gets removed (and when it happens, especially on an API considered public, - that's a big deal). Before several days ago i actually thought concat had its own exclusive clientId issued via Twitch API (because that's kinda what Twitch docs suggest and also the correct way to use OIDC).

The real correct way to fix this issue for good will be migrating to new Twitch API and registering concat as a legitimate Twitch 3rd-party application. Which in turn means that with current settings at most 160 people will be able to use concat simultaneously because rate limits (https://dev.twitch.tv/docs/api/guide#rate-limits) exist for all kinds of valid reasons.