I’m building a voting system for streamers where users need to authenticate through Twitch before they can vote. The problem I’m facing is with the logout process. When someone logs into my site using Twitch OAuth, they also get logged into Twitch itself. Even if I clear the session data on my website, users remain authenticated on Twitch’s platform. This means when they try to log back in, they automatically get authenticated again without entering credentials. How can I properly handle user logout so they actually need to re-authenticate? Is there a way to revoke the OAuth token or force them to log out of Twitch completely?
u can’t really force a total twitch logout, but try revoking the token like others said. plus, add a logout param to your redirect url: https://www.twitch.tv/logout. it’ll give users the option to fully log out. not ideal, but it’s a start.
Indeed, that’s how OAuth is designed to function. The tokens remain valid until they are explicitly revoked, which is standard behavior. When users authenticate through Twitch OAuth, they grant your application permission to access their data without actually logging them out of Twitch. To perform a proper logout, you must revoke the token. You can do this by sending a POST request to https://id.twitch.tv/oauth2/revoke along with the user’s access token. It’s important to note that you cannot log users out of Twitch entirely; doing so would pose a security risk. By revoking the token, users will need to re-authorize your application during their next login, but their main Twitch session remains intact.
That’s just how OAuth works. You need a two-step logout: clear your session data and cookies like you’re doing, then revoke the access token by hitting Twitch’s revoke endpoint. But honestly, there’s probably a better way to handle this. Instead of forcing users to re-authenticate completely, just add a confirmation step or short delay before they can vote again. You’ll keep things secure without making the experience clunky. The automatic re-login isn’t a bug - it’s actually a feature so users don’t have to keep entering credentials for apps they trust.