issues icon indicating copy to clipboard operation
issues copied to clipboard
verified publisher icon twitchdev

Invalid CSRF token: Too confusing for a User.

Open BarryCarlyon opened this issue 6 years ago • 11 comments

Brief description

Occasionally, when you perform step 1 of oAuth (redirect user to Twitch to allow/deny an account link)

A JSON blob is returned in the body:

{"error":"Invalid CSRF Token"}

This is shown to a end user and the end user has no idea what to do.

How to reproduce

Keep trying to link accounts till it happens. Usually happens more often with Firefox users.

Expected behavior

Display a more useful error page, or redirect to Twitch login page, which you do get sometimes (even when logged in on Twitch)

BarryCarlyon avatar Jan 04 '20 14:01 BarryCarlyon

IDPLAT-3002

mauerbac avatar Mar 30 '20 19:03 mauerbac

Got a user complaint about this. +1

guanzo avatar Apr 30 '20 11:04 guanzo

I also received a few user complaints about this.

marcandrews avatar Apr 30 '20 12:04 marcandrews

Hi everyone- thanks for the notes here.

If anyone is able to reproduce this consistently, any steps you can provide would help with resolution. Team is still investigating, however.

lleadbet avatar Jul 14 '20 00:07 lleadbet

Firefox users report it often.

I don't have repro steps other than to be using firefox.

But whenver your code returns this error it needs to do something more useful than present this to the user

BarryCarlyon avatar Aug 10 '20 18:08 BarryCarlyon

This happens for me every time when trying to use Twitch SSO on Firefox. I do not have issues when using other SSO+MFA services like Google.

The steps I take are:

  1. Start Firefox (I have uBlock Origin, and NoScript but disabling them does not help)
  2. Log into twitch account with MFA through Authy
  3. Visit website using Twitch SSO, like DNDBeyond.com
  4. Click "Login in with twitch"
  5. Authorize the application
  6. Upon pressing "Authorize" I am presented with the page "https://id.twitch.tv/oauth2/authorize" in JSON format with {"status":401,"message":"invalid csrf token"}

My workaround has been

  1. Launch Google Chrome
  2. Log into my Twitch Account
  3. Sign into the website, and authorize my twitch account
  4. Set up an alternative method of logging in.
  5. Close chrome, and reopen Firefox.
  6. Sign on with anything but Twitch SSO

vprime avatar Sep 27 '20 17:09 vprime

I was having this same issue in Brave and Chrome browser. Tried logging out and back in multiple times, tried clearing cache and cookies multiple times in both browsers. Was not able to solve this issue until I logged into twitch via mobile (brave browser) then clicked authorize and it worked flawlessly. Not able to recreate the issue since making the connection but this is what solved the issue for me.

Higler avatar Apr 10 '24 17:04 Higler

This is completely preventing me from implementing Twitch connections to my website!

thatmaxplayle avatar Sep 13 '24 19:09 thatmaxplayle