Twitch API Login Authorization

Question

I'm trying to allow users to login using the Twitch API, but I have a few problems with the code. The code was written by BarryCarlyon, and copied from this forum https://discuss.dev.twitch.tv/t/authorization-code-flow/5148/12.

I'm not that familiar with the Twitch API, and my PHP knowledge only goes so far. I believe the problem occurs at if ($i['http_code'] == 200), or somewhere in this region:

 if ($i['http_code'] == 200) {
        $result = json_decode($result, true);

        // get
        $curl = curl_init('https://api.twitch.tv/kraken/user');
        curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($curl, CURLOPT_HTTPHEADER, array(
            'Accept: application/vnd.twitchtv.v3+json',
            'Client-ID: ' . $client_id,
            'Authorization: OAuth ' . $result['access_token']
        ));
        $user = curl_exec($curl);
        $i = curl_getinfo($curl);
        curl_close($curl);

        if ($i['http_code'] == 200) {
            $user = json_decode($user);

            echo '<p>Thanks ' . $user->display_name . ' <3</p>';

            // THE USER IS LOGGED IN
        } else {
            echo '<p>An error occured, please <a href="/">click here and try again</a></p>';
        }

The full code:

$client_id = 'YourID';
$client_secret = 'YourSecret';
$redirect_uri = 'http://someplace/';

if ($_GET['code']) {
    $token_url = 'https://api.twitch.tv/kraken/oauth2/token';
    $data = array(
        'client_id' => $client_id,
        'client_secret' => $client_secret,
        'grant_type' => 'authorization_code',
        'redirect_uri' => $redirect_uri,
        'code' => $_GET['code']
    );

    $curl = curl_init($token_url);
    curl_setopt($curl, CURLOPT_POST, true);
    curl_setopt($curl, CURLOPT_POSTFIELDS, $data);
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);

    $result = curl_exec($curl);
    $i = curl_getinfo($curl);
    curl_close($curl);

    if ($i['http_code'] == 200) {
        $result = json_decode($result, true);

        // get
        $curl = curl_init('https://api.twitch.tv/kraken/user');
        curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($curl, CURLOPT_HTTPHEADER, array(
            'Accept: application/vnd.twitchtv.v3+json',
            'Client-ID: ' . $client_id,
            'Authorization: OAuth ' . $result['access_token']
        ));
        $user = curl_exec($curl);
        $i = curl_getinfo($curl);
        curl_close($curl);

        if ($i['http_code'] == 200) {
            $user = json_decode($user);

            echo '<p>Thanks ' . $user->display_name . ' <3</p>';

            // THE USER IS LOGGED IN
        } else {
            echo '<p>An error occured, please <a href="/">click here and try again</a></p>';
        }
    } else {
        echo '<p>An error occured, please <a href="/">click here and try again</a></p>';
    }
} else {
    $scopes = array(
        'user_read' => 1,
    );

    $req_scope = '';
    foreach ($scopes as $scope => $allow) {
        if ($allow) {
            $req_scope .= $scope . '+';
        }
    }
    $req_scope = substr($req_scope, 0, -1);

    $auth_url = 'https://api.twitch.tv/kraken/oauth2/authorize?response_type=code';
    $auth_url .= '&client_id=' . $client_id;
    $auth_url .= '&redirect_uri=' . $redirect_uri;
    $auth_url .= '&scope=' . $req_scope;
    $auth_url .= '&force_verify=true';

    echo '<a href="' . $auth_url . '">Please Click this Link to Authenticate with Twitch</a>';
}

HTTP Code 200 means Success, thus it's saying your request came back with a status other than that. What status code did it actually return? Did you actually substitute your API key at the top? — JBC, Jul 01 '17 at 23:07
@JBC yes, I only removed my keys from the code I added into the question. I have also tried to make something like `if ($i['http_code'] != 200) { echo"error"; }` and it would show the message "error" once I was being redirected from twitch — Volcan 3, Jul 02 '17 at 17:11

JBC · Accepted Answer · 2017-07-03T03:54:29.190

I'm guessing you're running this code locally and your problem stems from that. Running locally myself I see the following issue:

SSL certificate problem: self signed certificate in certificate chain

You can check for errors using curl_error() like so:

$result = curl_exec($curl);

if (curl_error($curl))
{
    echo curl_error($curl);
}

For strictly local debugging and testing purposes (and I emphasize that), you can disable this checking via curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE); Don't do this with code running in production. Read more about this specific problem here: Curl error 60, SSL certificate prðblem: self signed certificate in certificate chain

So, assuming you just want to keep running this locally for testing (emphasis again on only local testing), you can go ahead and disable the SSL verification.

First section changes to this:

$token_url = 'https://api.twitch.tv/kraken/oauth2/token';
$data = array(
    'client_id' => $client_id,
    'client_secret' => $client_secret,
    'grant_type' => 'authorization_code',
    'redirect_uri' => $redirect_uri,
    'code' => $_GET['code']
);

$curl = curl_init($token_url);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, $data);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE); // Disables SSL verification

$result = curl_exec($curl);

Second section changes to:

$curl = curl_init('https://api.twitch.tv/kraken/user');
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE); // Disables SSL verification
curl_setopt($curl, CURLOPT_HTTPHEADER, array(
    'Accept: application/vnd.twitchtv.v3+json',
    'Client-ID: ' . $client_id,
    'Authorization: OAuth ' . $result['access_token']
));
$user = curl_exec($curl);

The more correct solution is to set up the CA root certificates for your PHP installation. The question I linked earlier provides steps for doing that.

Twitch API Login Authorization

1 Answers1