#api-bindings #web #twitch #authorization #oidc #token #fix

app twitch_oidc_fix

Fix twitch OIDC authorization, just a simple api binding

3 releases

0.1.2 Jul 18, 2022
0.1.1 Jul 18, 2022
0.1.0 Jul 18, 2022

#18 in #fix

EUPL-1.2

2.5MB
423 lines

Twitch OIDC Fix

Authentik Single Sign On page

TL;DR: Use Twitch for SSO (Single Sign On) or Generic OIDC Client, just a small bridge/middleware. :)

The Twitch-API can be a harsh place, the developers are not following the OAuth 2.0 Authorization standard (RFC6749) I'm using a SSO application like Keycloak or Authentik, but it was impossible to use the Twitch-API for SSO. One reason is the /token endpoint, the RFC says that the Access Token should contain [scopes](And that's the reason why tools like) (which is a space separated list), but Twitch "is funny enough" to NOT follow the RFC6749 and thinks "we could implement it differently", so the response is an array of strings... T.T \ For fuck's sake ... Imagine there is a standard and your company is fighting against it... T.T

Fixing their API

/authorization

This route is just redirect you to https://id.twitch.tv/oauth2/authorize, but it's removing all scopes which are not supported.
Authentik for example adds the profile and email scope. Which can't be removed and is not working with the Twitch API. So this middleware is getting rid of it and redirects you.

/token

The /token endpoint contains an access_token which contains all the scopes. Because Twitch is not following the RFC6749, the middleware has to convert the string array from Twitch to the space sperarated list.

/userinfo

Same problem as in the /token endpoint, the scopes are causing problems.

Installation

You can set the following environments:

  • RUST_LOG (default: warn)
  • HOST (default: 0.0.0.0)
  • PORT (port: 8080)
  • DEFAULT_CLAIMS_ID_TOKEN (default: picture,preferred_username,updated_at)
  • DEFAULT_CLAIMS_USERINFO (default: picture,preferred_username,updated_at)

The claims can be set in the url query, but you can also set a default value (which will be used, if the query is not used). See Requesting Claims to understand what are the claims for.

Docker

docker run \
    -p 8080:8080 \
    -e RUST_LOG=info \
    -e DEFAULT_CLAIMS_ID_TOKEN="email,email_verified,picture,preferred_username,updated_at" \
    -e DEFAULT_CLAIMS_USERINFO="email,email_verified,picture,preferred_username,updated_at" \
    registry.gitlab.com/kerkmann/twitch_oidc_fix

Docker-compose

twitch_oidc_fix:
  image: registry.gitlab.com/kerkmann/twitch_oidc_fix
  restart: unless-stopped
  ports:
    - 8080:8080
  environment:
    - RUST_LOG=info
    - DEFAULT_CLAIMS_ID_TOKEN=email,email_verified,picture,preferred_username,updated_at
    - DEFAULT_CLAIMS_USERINFO=email,email_verified,picture,preferred_username,updated_at

Build it yourself (binary)

You can build the binary instead:

git clone https://gitlab.com/kerkmann/twitch_oidc_fix
cargo build --release

or build it from crates.io:

cargo install twitch_oidc_fix

Or you just download the binary here

Trademarks

I am not affiliated, associated, authorized, endorsed by, or in any way officially connected with Twitch Interactive, Inc. in USA and/or other countries.

Dependencies

~18–33MB
~550K SLoC