twitchdev / issues

Issue tracker for third party developers.
Apache License 2.0
73 stars 6 forks source link

Incorrect response when trying to obtain access token in device code grant flow #975

Open ghost opened 3 months ago

ghost commented 3 months ago

Brief description I'm trying to authenticate using this Go library. Authentication fails when I enter user code in the browser. It seems like /token endpoint doesn't follow this spec and produces wrong JSON.

How to reproduce

package main

import (
    "context"
    "fmt"

    "golang.org/x/oauth2"
)

func main() {
    config := oauth2.Config{
        ClientID:     "insert_your_client_id",
        ClientSecret: "",
        Scopes:       []string{"user:read:chat", "user:write:chat"},
        Endpoint: oauth2.Endpoint{
            AuthURL:       "https://id.twitch.tv/oauth2/authorize",
            DeviceAuthURL: "https://id.twitch.tv/oauth2/device",
            TokenURL:      "https://id.twitch.tv/oauth2/token",
        },
    }

    ctx := context.Background()
    response, err := config.DeviceAuth(ctx)
    if err != nil {
        panic(err)
    }

    fmt.Printf("please enter code %s at %s\n", response.UserCode, response.VerificationURI)
    token, err := config.DeviceAccessToken(ctx, response)
    if err != nil {
        panic(err)
    }
    fmt.Println(token)
}

Expected behavior When trying to obtain access token before user entered the code, /token endpoint should produce this JSON:

{
    "error": "authorization_pending"
}

status field shouldn't be there and message should be called error.

iProdigy commented 3 months ago

I also had to add a special case to my library for that rfc deviation: https://github.com/PhilippHeuer/credential-manager/blob/02ce8e38d47ca8762a6d8a21a80e00490ba875b0/src/main/java/com/github/philippheuer/credentialmanager/identityprovider/OAuth2IdentityProvider.java#L277

Would be best to keep the existing fields but add the error field (to maintain backwards compatibility at the expense of duplicated data)