oAuth bug causing "Invalid authorization code" issue

[richardmtheobald]

Brief description

How to reproduce The new oAuth process creates a page with a box that says "You are about to leave Twitch." and a Continue button. If you click the Continue button, oAuth fails.

Expected behavior

Screenshots

Additional context or questions

[Syzuna]

The issue seems to be a double redirect with the same code and state if you click the continue button.

if I had to guess the scheduled redirect by the auto redirect doesn't get cancelled properly somehow and that leads to this double redirect although its still weird that this happens.

I can reproduce this reliably

[BarryCarlyon]

I've also observed this screen.

But usuall;y before I've had a thought to hit continue, I've been redirected to my site. It's normally pretty quick.

Screenshot of the offending screen!

[Emilgardis]

I've seen this screen before, and not had issues with hitting continue. I can't reproduce it right now though.

[swiftyspiffy]

Also seeing this.

[Syzuna]

Reproduction Videos:

Success without clicking: https://cdn.syzuna-programs.de/images/j82ZBMLkbp.mp4

Failed with clicking: https://cdn.syzuna-programs.de/images/g5tsgP77Ht.mp4

The invalid state error in the video is just my server seeing the same state for an auth request id twice and killing the flow at that point. others would see an invalid code error from Twitch as their server tries to redeem the same code a second time

[dimosmera]

Also seeing this. Can reproduce it easily as well.

[jbulava]

The team that owns the authentication flow is aware of this double redirect issue due to clicking the "Continue" button. They will evaluate how to best mitigate the issue (e.g. remove the button, change the text to indicate only clicking if the browser doesn't redirect, etc) and we'll follow up on this post.

[Aruvido]

Hi, besides the continue button there is also a text that says "Redirecting you automatically, click here if your browser not redirect you." At the very start of the oAuth flow that produces the same bug as the continue button.

This text is only visible for users with slow connections, you can use the "Slow 3G" mode in Google Chrome to get it to show up.

[BarryCarlyon]

"Redirecting you automatically, click here if your browser not redirect you."

This is the new text. instead of the "continue" button.

At the very start of the oAuth flow that produces the same bug as the continue button.

Users should only click if it not redirected. So it should be more clear to the user not to press the link, unless they actually don't get redirected.... Hopefully....

[BarryCarlyon]

This "new flow" is causing this:

In firefox when you click "accept" on the oAuth dialog that pops up when installing/activating an extension and accepting/authing/allowing the subscribers scope.

Rather than the window auto closing after the oAuth is complete it shuts the flow down completely.

Firefox latest (94.0.1)

[Syzuna]

Reproduction video: https://cdn.syzuna-programs.de/images/rl9DtnZIy3.mp4

if you dismiss that screen and try again it runs into a loading loop: https://cdn.syzuna-programs.de/images/WmVDDQxkG8.mp4

[aaronkchsu]

Subscription related extensions will have an infinite loading screen on activate

[talk2MeGooseman]

I can confirm this is still happening on Firefox

[streamstickers]

Bump - Still happening on Firefox and blocking activations of our extension.

[Marenthyu]

This "new flow" is causing this:

In firefox when you click "accept" on the oAuth dialog that pops up when installing/activating an extension and accepting/authing/allowing the subscribers scope.

Rather than the window auto closing after the oAuth is complete it shuts the flow down completely.

Firefox latest (94.0.1)

Subscription related extensions will have an infinite loading screen on activate

I was able to reproduce these exact two issues on Mobile when installing a Sub-Enabled Extension. Mobile Google Chrome v 97

[si7o]

Also happens when trying to change the panel of an already active extension. (Firefox 98.0.1)

Console error:

The loading of “https://www.twitch.tv/extensions/oauth-redirect#access_token=xxxxxxxxx&scope=channel%3Aread%3Asubscriptions&token_type=bearer” in a frame is denied by “X-Frame-Options“ directive set to “SAMEORIGIN“

[marcandrews]

I am now receiving reports from extension users of this happening in Chrome and Safari, not just Firefox. Any updates on this issue @jbulava?

[BarryCarlyon]

I'm unable to replicate this in chrome. (Thought I'd go spot check, but it's all good for me in chrome)

[marcandrews]

It works for me too, but I have screenshots from users using Chrome, Firefox and Safari getting stuck on this auth modal.

[jaku]

Happy belated birthday to this bug! Surely no one uses Firefox so who cares right?

[dennisrijsdijk]

Happy belated birthday to this bug! Surely no one uses Firefox so who cares right?

🤬

[marcandrews]

Just had a user experience this on Safari iOS ... https://discord.com/channels/183961840928292865/1057403456341672066

[BarryCarlyon]

Still present today :-(

With the old x-frame-options issue

[jaku]

Cannot confirm if this is the same issue, but this is for sure happening on Chrome and Edge for users, including myself currently. Still investigating if this is the same bug or something new. But the same sort of issue.

Edit:

Different bug, looks like the flow is trying to direct the user to localhost.rig.twitch.tv:8080 which isn't going to work.

[Emilgardis]

You'll get the same message if the url specified in the redirect_uri is not in the allowed redirects on the console @jaku

[BarryCarlyon]

For browsers that are not Firefox and for Extension Activation:

The temporary solution, until Twitch bypass trusts itself, is to add https://www.twitch.tv/extensions/oauth-redirect as a redirect URI to your Extension Settings -> OAuth Redirect URL list

[BarryCarlyon]

The above affecting all is fixed but the general issue for firefox is still present

Today it's reported as a NS_ERROR_XFO_VIOATION

[Xemdo]

Ticketed internally as COCO-638 Ticketed internally as IDPLAT-8650