Is there a way to view the exact requests performed by pow_assent?

[ohmree]

I'm using Phoenix with a very basic twitch strategy based on the built-in oauth2 strategy, and the defaults for everything else (templates, views, controllers, schemas, etc).

Logging in works, but after being redirected to my callback uri I get a 404, and I'd like to know why, so it'd be very helpful if I could see exactly what requests are being performed by the oauth2 strategy.

Here's my strategy, which is the same as the example one except for a few replaced fields to match the twitch api:

defmodule MyApp.Auth.Twitch do
  use Assent.Strategy.OAuth2.Base

  @impl true
  def default_config(_config) do
    [
      site: "https://api.twitch.tv/helix", # The base URL to use for any paths below
      authorize_url: "https://id.twitch.tv/oauth2/authorize", # Full URL will not use the `:site` option
      token_url: "/oauth2/token",
      user_url: "/users",
      authorization_params: [scope: "user:read:email"],
      auth_method: :client_secret_post
    ]
  end

  @impl true
  def normalize(_config, user) do
    {:ok,
     # Conformed to https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.5.1
     %{
       "sub"      => user["sub"],
       "name"     => user["name"],
       "nickname" => user["username"],
       "email"    => user["email"]
     }
    }
  end
end

I suspect my issue might be related to the user_url config field but my speculations aren't very helpful if I can't use curl for testing the requests myself.

[ohmree]

Ok, so after some testing I figured out that the specific problem here was that my token_url was wrong.

However, after fixing it (and experimenting a lot on the cli) I found a new problem: Twitch expects a Client-Id header that matches the client_id query parameter when fetching a user.

The error I get from assent, which isn't very useful, is Strategy failed with error: %Assent.RequestError{error: nil, message: "Unauthorized token"}.

Here's an example of the error in action outside of assent (at least I think that's the one I'm getting, I still have no way to access the original error body from the twitch api):

$ http get "https://api.twitch.tv/helix/users?client_id=$id" "Authorization: Bearer $token" --body
{
    "error": "Unauthorized",
    "message": "Client ID and OAuth token do not match",
    "status": 401
}

$ http get "https://api.twitch.tv/helix/users?client_id=$id" "Authorization: Bearer $token" "Client-Id: $id" --body
{
    "data": [
        {
            "display_name": "MyName",
            "login": "myname"
            // etc...
        }
    ]
}

So my question now is, can I add headers to my user fetching request? It seems like you can only add request params in the fetch_user impl.

Or perhaps should this be standard behavior? I could try adding this to the OAuth2 strategy and opening a PR.

[danschultzer]

Yeah, the fetch_user/3 call in Assent.Strategy.OAuth2 should have a fourth argument for headers. That would solve this issue. Please do open a PR for https://github.com/pow-auth/assent!

[danschultzer]

Thanks, it's in master branch, I'll release a new version soon. Feel free to open another PR to add Twitch support in Assent 😄