Skip to content
Translate Ideas and Comments
Choose language:
There was an error during translation
← Twitch UserVoice

Settings and activity

3 results found

  1. Add PKCE Support to the OAuth2.0 Authorization Code Flow

    49 votes

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

    We’ll send you updates on this idea

    4 comments  ·  Developers » API  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    GenideGaming supported this idea  · 
    An error occurred while saving the comment
    GenideGaming commented  · 

    Someone please implement this soon!

    IEFT best practices REQUIRES PKCE for public clients (e.g. Standalone Applications) and is RECOMMENDED for confidential clients (e.g. Web Server). Twitch should transition away from implicit authorization to PKCE Authorization code flow.
    https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-2.1

    Re-posting links here because the original one leads to 404.
    https://oauth.net/2/pkce/
    https://datatracker.ietf.org/doc/html/rfc7636

  2. Please document optional OAuth 2.0 authorization flow parameter "nonce"

    18 votes

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

    We’ll send you updates on this idea

    Investigating  ·  1 comment  ·  Developers » Documentation  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    An error occurred while saving the comment
    GenideGaming commented  · 

    For anyone reading this, the nonce described in the Oauth standard is not used for PKCE. The nonce is used to prevent replay attacks when using OpenIdConnect. [1]

    There is a separate uservoice request for PKCE support. [2]
    I highly suggest we go forward with PKCE support as it prevents the described attack method in this post. [3]
    Current best practices from IEFT say "Public clients MUST use PKCE" and "For confidential clients, the use of PKCE [RFC7636] is RECOMMENDED". [4]
    The attack vector described is also the reason why implicit auth should be deprecated in favor of PKCE Authorization Code Flow. [5]

    [1] https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowSteps
    [2] https://twitch.uservoice.com/forums/310213-developers/suggestions/39785686-add-pkce-support-to-the-oauth2-0-authorization-cod
    [3] https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-2.1
    [4] https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-2.1.1
    [5] https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-2.1.2

  3. Extend Clips API to provide the MP4 url so editors can automate downloads

    337 votes

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

    We’ll send you updates on this idea

    Investigating  ·  11 comments  ·  Developers » API  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    GenideGaming supported this idea  ·