Any plans for PKCE implementation?

I am building a standalone electron application. In the application, I want to get both a refreshable access token and ID Token. But this is not possible with Twitch’s current authentication methods. Twitch’s OIDC Implicit Code Flow authentication will allow a standalone application to get a token. However, the token is not refreshable. Twitch’s OIDC Authorization Code Flow can get a refreshable token. However, it means exposing a client_secret in my application.

To support my use case, there is PKCE (Proof Key for Code Exchange). PKCE an extension of OAuth2 that enabled standalone applications to use the Authorization Code Flow for authentication. PKCE does not require a client_secret to create trust between the application and Twitch’s authentication servers.

Is this on anyone’s radar?

Other notes:

Sounds like you need a uservoice to submit a feature suggestion

I can and have got implict auth working in Electron. Just have to bounce via my server to relay to Electron via a custom URI handler/launch arguments.

However I generally use another auth method from app to my server, and my server retains the tokens

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.