Implementing twitch OIDC flow gives No access_token from server

I am trying to set up the twitch login to make sure that I understand the process, but I am getting a rather strange error. After getting redirected to the twitch login page, and then back to my page

<ip>:8080/auth/realms/test/broker/twitch/endpoint?code=k2x~&scope=openid&state=t5p~~~.~.account

I get the following error.

Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: No access_token from server.

along with error=identity_provider_login_failure in one of the trace lines.

When I run the token post in postman with the values based on the URI I got redirected to in browser, and my secrets, I get the following response, so I know that the endpoints are up

{
    "access_token": "9pj~",
    "expires_in": 14101,
    "id_token": "eyJ~.eyJ~.Rn4~",
    "nonce": "pGA~",
    "refresh_token": "gm~",
    "scope": [
        "openid"
    ],
    "token_type": "bearer"
}

Im not really sure whats failing. Am I missing something stupid or is twitch doing things just slightly different enough again as to break keycloak. If its a config problem, id be happy to post my config, but Id rather not unless necessary.

Twitch Docs on how they do OIDC Auth flow if anyone wants to take a look.

I had the client authentication set to the wrong value. (though figuring out what value to set was difficult). For future reference,
Alient Authentication: Client Secret Sent As Post.
Auth URL: https://id.twitch.tv/oauth2/authorize
Token URL: https://id.twitch.tv/oauth2/token

Unfortunatly, I am now encountering

keycloak_1       |03:32:17,021 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-3) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: Could not decode access token response.

Which I expect to be a result of the access_token being in json , but I need to do more research to confirm.

And I think I found what I am looking for. It appears that twitch DOES indeed do things differently. The expected value for scopes is a string as defined in the code here, however, twitch has decided to return an array of scope strings instead of space delimited scope strings.

I found the issue raised on github for twitch, it appears that Twitch has decided to loosely follow the RFC and unfortunately they have opt’d not to fix the issue as it would break previous integrations. From the keycloak side is there any potential work around?

For anyone who finds this in the future running into the same problem, I have written a small service that can act as an in-between and will mutate the responses returned by twitch to something that keycloak can read.
The github repo is avaliable here and the standalone docker container is streemtech/twitchfix

1 Like