I’m implementing a small desktop client for Mac (notification and stuff), I’m using the OAuth2.0 API and everything is working fine.
BUT I can’t use a Redirect URI that doesn’t start with http:// and to me that’s a bit of nonsense. Why is that? Because OAuth2.0 is great for the user as he can avoid to insert username/password to external application, but as now, in a desktop app we are forced to open a custom “web view” and load the twitch login page (instead of using the user browser and redirecting to the application at the end of the verification).
Opening a custom browser can allow the developer to read the username/password, it’s a nuisance to the user because it need to login again and can’t use the browser autofill or external app like 1Password.
Just let us use a custom protocol like myapp:// (please leave the redirect URI as customisable as possible or provide a custom pattern with a UUID like twitch_UUD://) so we can provide a better experience (and security) to our users. A lot of other services already do that (Dropbox or Facebook for example).
I would suggest setting it up so that auth is handled in the user browser, redirecting back to your own site. From there you can pass the oauth token to your app through custom url pattern yourself.
Another way would be to load the oauth page in a webview, catch it on your site, and inside your app read the webview url to get the oauth token.
You should never require the user to store their password in your app. An oauth token is the way to go, and is all you need.
Or you could make your include a simple localhost web server in your app, let the redirect be to localhost:8080/redirect or just localhost:8080. Then handling the authentication on the users’ computer.
It might not work properly since you would have to store the client id somewhere inside the app, which might be compromised (unless all users register their own app, and use that client id)
A different approach might be if you set up a hosted server that authenticates and then redirects to the localhost server, passing on the api key.
thanks for your answers, those are all good workaround, but I don’t want to have an additional remote web server. I might consider adding a local web server (that’s still silly because it way more complicated that the entire app).
But it should be very easy to allow custom urls, I don’t see any harm in doing that (a lot of other big services are already doing it).
What language(s) are you using? Setting up a simple web server that parses a query and does some requests shouldn’t be very much, depending on what language/libraries you’re working with.
