Refresh token calls do not work because they call the wrong URL

[echosa]

I couldn't figure out why refresh token calls were always failing. It turns out that refresh token calls are supposed to be called from id.twitch.tv, not api.twitch.tv, according to the documentation.

[echosa]

@nicklaw5 I'll see about fixing this and submit a PR.

[echosa]

Actually, as it turns out, all the calls need to be updated. api.twitch.tv/kraken is already deprecated, and set to be discontinued at the end of the year. Yikes. I'll see if I can get the library updated.

https://dev.twitch.tv/docs/v5/#which-api-version-can-you-use

[nicklaw5]

Thanks for raising this, I was unaware of the new authentication endpoint.

According to the docs, the Kraken endpoint should still work:

The domain dedicated to Twitch authentication is https://id.twitch.tv. (Previous visitors of this page will note that URLs were updated, to replace https://api.twitch.tv/kraken with https://id.twitch.tv. Code that uses the old, kraken domain for Twitch authentication will continue to work until the end of 2018, when we remove Twitch API v5 functionality. Twitch API v5 is currently deprecated.)

When you say

I couldn't figure out why refresh token calls were always failing.

what error are you receiving?

[echosa]

Bad Request

I've been working with a Twitch developer. While initial authorization calls work with api.twitch.tv, refresh and revoke apparently require id.twitch.tv. So that, at minimum, needs to change. That said, with the discontinuation of Kraken this year, this library needs to be updated to Helix and the New Twitch API.

[nicklaw5]

Yes, it appears their docs have become extremely confusing of late. Just looking at them now it seems they have many misleading statements.

I'm working on a fix now. I'll create a PR for you to test if you don't mind?

[echosa]

I'd be happy to test. Will this just fix refresh/revoke, or will it be a full conversion to the new API? The former is much more pressing, as that is code I currently have running that's failing. The latter is an effort that needs to be done this year, preferably sooner rather than later.

[nicklaw5]

I'm going to fix the current issue with refresh/revoke. The new Helix implementation will likely be done in a separate repository. The problem with the new Helix API is that Twitch hasn't finished it yet, and it lacks a lot of endpoints that the Kraken API has. I hope they get it done sooner than later.

[echosa]

I felt the same way. However, I've been told that not all Kraken endpoint will make it into Helix. If there are any missing that you need, you should report them somewhere. That said, it seems as though Twitch is treating the New Twitch API as the the de facto standard now, especially since v5/kraken has been deprecated for over half a year. Basically, we should consider the new API/helix as complete/done and switch to it ASAP.

If you're starting a new repo, let me know. I had forked this one with the thought of changing this one over to new api/helix, but obviously that won't happen if the new api will be implemented in a new project in it's own repository.

[nicklaw5]

@echosa see #16. I haven't tested it, but it should work.

I also added the missing revokeToken method.

[nicklaw5]

@echosa This does not appear to be a bug in this library. The Kraken API OAuth2 endpoints appear to be working as expected. It may be that the Kraken API is deprecated but the endpoints still work as documented, and should continue to do so until the it is removed later this year.

From my testing I've been able to create an access token, as well as refresh and revoke it using https://api.twitch.tv/kraken as the endpoint - which is what is explained in the docs when they say:

The domain dedicated to Twitch authentication is https://id.twitch.tv. (Previous visitors of this page will note that URLs were updated, to replace https://api.twitch.tv/kraken with https://id.twitch.tv. Code that uses the old, kraken domain for Twitch authentication will continue to work until the end of 2018, when we remove Twitch API v5 functionality. Twitch API v5 is currently deprecated.)

[nicklaw5]

I've also added the revokeAccess method and cut a new release (v1.1). Please update your composer dependencies to use it.

[echosa]

I'll try the new version. Refresh token hasn't been working for me at all with kraken, so if you haven't made any changes to that, I'm not sure if it will work now. Can you send me the code you used to refresh a token with this library? Perhaps I've done something wrong on my end.

[nicklaw5]

Here's the code I used to test:

<?php

require __DIR__ . '/vendor/autoload.php';

$twitch = new \TwitchApi\TwitchApi([
    'client_id' => 'your-client-id',
    'client_secret' => 'your-client-secret',
    'redirect_uri' => 'http://localhost:8888/auth/callback', // <- replace with your own callback URL
]);

// Use this to generate the auth URL to retreive the auth code
// var_dump($twitch->getAuthenticationUrl());
// exit;

$code = 'your-auth-code'; // <- place the code you got from the redirect URL here

$accessCredentials = $twitch->getAccessCredentials($code);
var_dump($accessCredentials);

$root = $twitch->validateAccessToken($accessCredentials['access_token']);
var_dump($root);

if (!$root['token']['valid']) {
    print('Invalid token. Exiting....');
    exit;
}

$refresh = $twitch->refreshToken($accessCredentials['refresh_token']);
var_dump($refresh);

$revoke = $twitch->revokeToken($refresh['access_token']);
var_dump($revoke);

if ($revoke['status'] !== 'ok') {
    print('Failed to revoke access token. Exiting...');
    exit;
}

print('Everything\'s working :)');
exit;

[echosa]

Thanks. I got it working now. The issue wasn't the api calls themselves. Rather, my refresh codes were getting truncated when stored, thus they were invalid. 🙄 Thanks for the help and the work. I still think the library should move to the New Twitch API sooner rather than later, and I'm happy to help if I can, since I use and depend on the library. Hopefully you can find time to start that project soon (you mentioned a new repo for it), and when you do, please let me know you and did and how I can help.

[echosa]

Closing because my issue is solved.