Settings and activity
1 result found
-
48 votes
An error occurred while saving the comment An error occurred while saving the comment JamesTheElixirGuy commentedUntil this is implemented, it should be common knowledge that Twitch OAuth is insecure on any native application.
JamesTheElixirGuy supported this idea ·
There is a way to "jury-rig" something like PKCE.
1. native app generates a random string called `codeVerifier`.
2. native app opens twitch oauth with `?state={codeVerifier}` param and skipping the code exchange. If you use `react-native-app-auth`, just set `skipCodeExchange=true`.
3. successful twitch login redirects to "backend" server with `code` and `state` values. Rename respectively to `twitchCode` and `codeVerifier`.
4. backend server creates a random string called `internalCode`.
5. backend server caches a KVP with key `codeVerifier` and value `{internalCode: internalCode, twitchCode: twitchCode}`
6. backend server sets window location to `myapp://oauthpath/twitch?internalCode={internalCode}`.
7. native app handles this route by sending a login POST request to backend with 2 params: `internalCode` and `codeVerifier`.
8. backend handles the login request by looking for `codeVerifier` in the cache. It checks the `internalCode` matches. If it does match, use the accompanying `twitchCode` to hit twitch API, get the user, login/register with the user details and return a normal "access token" for your app to the native app.
TL;DR use twitch's CSRF-thwarting "state" mechanism as a way of passing a `codeVerifier` from frontend to backend. It is never passed from backend to frontend, so PKCE is achieved (I think).