Why is Twitch OAuth redirecting to a link with query strings separated by ‘#’?

Question

I am creating a user login with the OAuth. Everything seems to work fine but Twitch redirect URI is messed up by the # where ? has to be.

My redirect URI:

https://localhost:7681/authorize

URI Twitch redirects to:

https://localhost:7681/authorize#access_token=43r99nhmxhvpckr4zrtb0sbx1q6tdg&scope=user%3Aread%3Aemail&state=%24%7Bdata.uid%7D&token_type=bearer

I already tried adding a trailing slash, nothing changed.

Did someone else encounter such behavior?

Answer 1

you requested a token for type token instead of a token of type code

token aka Implicit Auth is for client side apps and will generte and return a access token via location hash

https://dev.twitch.tv/docs/authentication/getting-tokens-oauth#implicit-grant-flow

“Normal” oAuth, aka " Authorization code grant" will return a ?code that is to be exchanged for an access token.

https://dev.twitch.tv/docs/authentication/getting-tokens-oauth#authorization-code-grant-flow

Essentially your <a href triggered the wrong token flow

Additionally you should never post generated access tokens publically. Since someone can take it and abuse it or just revoke it. Or in this case acquire your private email address.

https://discuss.dev.twitch.tv/t/why-is-twitch-oauth-redirecting-to-a-link-with-query-strings-separated-by/37976/2