OAuth2 Twitch login breaks with Telegram Android in-app browser due to parameter stripping

[Propants05]

Hey Telegram devs,

I’m running a service that lets Twitch subscribers access a Telegram group via an OAuth2 flow. The issue happens specifically on Android devices using the Telegram app:

User clicks on the OAuth2 Twitch link inside the Telegram Android app.

The link opens in Telegram’s in-app browser.

The user is redirected back to Twitch login (if not already logged in).

After login, Twitch redirects back to the OAuth2 callback URL but all query parameters except client_id get stripped.

This causes an HTTP 400 error because mandatory parameters for OAuth2 are missing.

If the in-app browser is disabled (e.g., “Open links externally”), the OAuth2 flow works fine.

I tested extensively with various URL encodings and redirect URL orders, but the problem persists only when the login is required and only in Telegram’s in-app browser.

Issue Summary:

Telegram Android in-app browser strips query parameters on redirect during OAuth2 Twitch login flow.

Causes OAuth2 to fail with HTTP 400 error.

Problem does not happen in external browsers or when the in-app browser is disabled.

Impact:

Twitch users accessing OAuth2 flows from Telegram on Android cannot log in properly.

Major UX issue for services integrating Twitch OAuth via Telegram.

Request:

Please investigate the Telegram in-app browser behavior on Android regarding URL parameters preservation during OAuth2 flows or redirect chains.

Note: I found only this GitHub repo for Telegram (https://github.com/telegramdesktop/tdesktop), but I’m not sure if it’s the correct place to open this issue related to the mobile in-app browser.

Thanks!

[levlam]

This is not related to TDLib. You can report app bugs at https://bugs.telegram.org/.