Skip to content
Translate Ideas and Comments
Choose language:
There was an error during translation

Settings and activity

1 result found

  1. 48 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Developers » API  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    An error occurred while saving the comment
    JamesTheElixirGuy commented  · 

    There is a way to "jury-rig" something like PKCE.

    1. native app generates a random string called `codeVerifier`.

    2. native app opens twitch oauth with `?state={codeVerifier}` param and skipping the code exchange. If you use `react-native-app-auth`, just set `skipCodeExchange=true`.

    3. successful twitch login redirects to "backend" server with `code` and `state` values. Rename respectively to `twitchCode` and `codeVerifier`.

    4. backend server creates a random string called `internalCode`.

    5. backend server caches a KVP with key `codeVerifier` and value `{internalCode: internalCode, twitchCode: twitchCode}`

    6. backend server sets window location to `myapp://oauthpath/twitch?internalCode={internalCode}`.

    7. native app handles this route by sending a login POST request to backend with 2 params: `internalCode` and `codeVerifier`.

    8. backend handles the login request by looking for `codeVerifier` in the cache. It checks the `internalCode` matches. If it does match, use the accompanying `twitchCode` to hit twitch API, get the user, login/register with the user details and return a normal "access token" for your app to the native app.

    TL;DR use twitch's CSRF-thwarting "state" mechanism as a way of passing a `codeVerifier` from frontend to backend. It is never passed from backend to frontend, so PKCE is achieved (I think).

    An error occurred while saving the comment
    JamesTheElixirGuy commented  · 

    Until this is implemented, it should be common knowledge that Twitch OAuth is insecure on any native application.

    JamesTheElixirGuy supported this idea  ·