The "This extension can view my subscriptions list." toggle, (in Manage Extension Permissions) doesn't do a check to see if the channel that the extension is installed upon, is eligible for Subscriptions at all.

Wording should/could be changed to prevent broadcasters of type BLANK (as apposed to affiliate/partner), becoming confused.

As they'll click the toggle, run the oAuth dialog and then the toggle is still off.

On hitting the toggle, change the popup response from:

> "You have successfully authorized this extension to view your subscriber list!"

To

> "You have successfully authorized this extension to view your subscriber list! But you don't have subscribers so when if you become an affiliate we are good to go"

And/or change the wording on the toggle to indicate that the channel is not enrolled in the subscribers platform

Hey. I know that people are requesting API for Channel Points. But I came up with better and easier idea.

When streamer creates new reward in dashboard, there should be option to "run a link" in background after reward is redeemed. This type of button will trigger bot with GET-request and bot will run specific action.

Why I think this approach is better than API:
1. No API on Twitch side, obviosly.
2. Bots won't be abble to control Channel Points directly.
3. This will work with any bot who will support this kind of triggers.
4. Easier to use and understand for regular users. Bots developers could design this as "to run this action paste this link in your reward". This sounds pretty easy.
5. Gonna be pretty easy to exclude failed requests for Twitch. You just check if requested link returned: {response: success} or something like that. If it returned something like {error: "Requested video have not enough views."} then you just show this error to viewer and do not take his Channel Points.

Possabilities here are endless. Viewers will be able to request songs with Channel Points, run some sounds and animations on stream, play mini-games, change color of lights in streamer's room, etc.

If I have an oAuth that represents a User, where the User is either

• the broadcaster the clip is of


• an editor of the channel that the clip is of


• the user is the owner of the clip

And I make a request for a Clip as documented: https://dev.twitch.tv/docs/api/reference#get-clips

(but with the bearer naturally)

The JSON Response should include the direct link to the MP4 or an ability to download the Clip.

This is off the back of the removal/deprecation of some undocumented API's that I was using to get the MP4 URL for automated download for creation of clip reels and similar.

Imagine the following attack for the OAuth 2.0 authorization flow:

1. Attacker steals the authorization code from the redirect URI.


2. Attacker forces his instance of the client to redeem the victim's authorization code.


3. If the attacker's instance of the client is faster than the victim's instance of the client in redeeming the authorization code, the attacker will get a valid login session within his instance of the client, but for the victim's account.

This attack should especially get attention in the context of Twitch and live streaming, since many streamers are definitely not aware of this vulnerability: If people are logging in with Twitch on 3rd party sites while live streaming, an attacker that has automated this attacking process (e.g. by capturing the stream) can easily grab the authorization code from the visible browser address bar during the streamer's login attempt, except ...

... the OAuth 2.0 PKCE extension is used by the client, which prevents the attack in the following way:

1. A hashed secret (using a cryptographic hash function) is send using the nonce parameter of the initial authorization request (leading to the Twitch login page).


2. Later, the authorization server (that is used to redeem authorization codes) is sending back the same nonce together with the access token.

The back end implementation (that also securely stores the client secret and makes the call to this authorization server) can now verify whether the nonce sent back from the authorization server is indeed the hashed value of the specific secret.
An attacker that does not know the secret should now longer be able to force the back end to authorize him with the victim's permissions.
Of course, the secret is bound to the authentication session and only visible to an attacker in its hashed form (the nonce) within the initial authentication request.

A few months ago someone suggested to support the OAuth 2.0 authroization flow PKCE extension. [1]
I don't know if the nonce usage above is exactly the same as PKCE, but it at least prevents attack scenarios like the one that I just described.

Currently, the documentation does not mention this nonce parameter being available for the OAuth 2.0 authorization flow. [2] It should be added with a short description, similar to the other optional parameters like state or force_verify to make people aware of it.

This user voice is a clone of this thread in the forum. [3]

[1] https://discuss.dev.twitch.tv/t/pkce-extension-for-oauth-authorization-code-flow/19575
[2] https://dev.twitch.tv/docs/authentication/getting-tokens-oauth#oauth-authorization-code-flow
[3] https://discuss.dev.twitch.tv/t/please-document-optional-oauth-2-0-authorization-flow-parameter-nonce/23357

The New Twitch API needs serious attention. I worked considerable with the V3 API and that was rock solid. I'm having a difficult time with the new API. It has a lot of quirks.

My biggest issue now is that certain calls return an empty response with certain parameters.

For example, if I try to filter streams with a gameid and language this will return a result with 0 items sometimes while other times it will return the correct results. The behavior is very inconsistent.
https://api.twitch.tv/helix/streams?gameid=33214&language=en

It works 100% of the time without the language parameter.
https://api.twitch.tv/helix/streams?game_id=33214

It will also filter incorrectly if the parameters are not entered in alphabetical order which is not documented.