Open brazelja opened 1 year ago
Thanks, I looked into this. The reason it was a bit cryptic is that Twitch does not conform to the error response spec defined at: https://www.rfc-editor.org/rfc/rfc6749#section-5.2
It should return error
and optionally error_description
, not {status: 400, message: string}
.
So we could not detect the exact issue to show you.
I also noticed at https://id.twitch.tv/oauth2/.well-known/openid-configuration that Twitch only supports client_secret_post
as token_endpoint_auth_method
, and the default is client_secret_basic
, hence it did not recognize the client_id
being sent.
The fix is easy, we need to add client: { token_endpoint_auth_method: "client_secret_post" }
to the default Twitch config (you can do this in your code for now to overcome the issue).
~I'll investigate if we could automatically detect if a provider only supports this method and use that instead, by reading the discovery endpoint data.~ Not a good idea after all, configuring per-provider is the way to do it.
Fixing the above raises a new issue though, as Twitch also makes a second mistake by returning scope
as an array (scope: [ 'openid', 'user:read:email' ]
, based on the default config https://github.com/nextauthjs/next-auth/blob/4056dafa7a9a4542b6c86e044cd96c4d7655503c/packages/core/src/providers/twitch.ts#L20) in the successful response, which again does not conform to the spec. (See 5.1 Successful Response, 3.3 Access Token Scope).
This requires special handling for Twitch, which is unfortunate, and would like to avoid it at all costs. Ideally, we could force Twitch to fix this on their side, I'll try my best to reach out and see what happens.
Thanks for the swift reply. I'll test out your recommendation this evening and post back here the results.
Confirmed that client: { token_endpoint_auth_method: "client_secret_post" }
progresses you past the "Missing client id" message to then hit the scope format error.
No
Provider type
Twitch
Environment
System:
Binaries:
Packages:
Reproduction URL
https://authjs.dev/reference/oauth-providers/twitch
Describe the issue
I am using
@auth/sveltekit
and attempting to add Twitch and Discord login options. I followed the documentation pages for each and have them set up like so:Using the demo project setup described [here[(https://authjs.dev/reference/sveltekit/modules/main) but replacing GitHub with Twitch/Discord I was able to get the project up and running. Logging in with Discord works perfectly fine, but when I log attempt to log in with Twitch I get:
This is despite using the Provider as is and not manipulating it in any way. Digging deeper into the
@auth/core
code I narrowed down the error to https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/lib/oauth/callback.ts#L107. Logging out the response of theauthorizationCodeGrantRequest
call shows{ status: 400, message: 'missing client id' }
, despiteclient_id
being present when passed to theTwitch
provider and confirmed by logging outclient
object that is passed toauthorizationCodeGrantRequest
, which was in the format:This error completely prevents users of my application from logging in with Twitch.
How to reproduce
Steps to reproduce are described above.
Roughly:
/auth/callback/twitch
Expected behavior
Ideally the Twitch provider should let users authenticate with an application via Twitch without error.