Authentication in a desktop application

Hey there!

I’m wondering what the recommendation would be for distributing a desktop application that consumes the Twitch API?

I’m building my desktop app with C#, and I’m using the IdentityModel.OidcClient.Browser and Microsoft.Web.WebView2 packages. (for those familiar)

I can already prompt a user to log in via the browser, return back to my app, and make API calls.

I’m simply wondering at this point if there happens to be another way to authenticate WITHOUT keeping a Client ID in/with the application? I have it working WITHOUT a Client Secret already, so that box is checked.

Once “out in the world” there’s nothing stopping someone from taking a peek, and using my Client ID/RedirectUri and doing the same thing as I am, just with/as my client.

So I’m just a little confused how client-side apps outside of the browser (mobile/desktop) stay secure(ish)? In terms of sharing the Client IDs I’ve made myself.

Is there a part of this I’m missing, or is my idea/concern basically how it is and desktop apps aren’t really recommended…unless of course you make your users go through the process of creating a Client themselves?

Client ID’s are considered public, the secrets and oauth tokens are private.

You can use a custom auth system and crate a session between your app and a server then have them login through web browser or in app browser.

Or if you don’t have a sever for persistent auth, then use an in app browser session or something and use implicit auth and grab the access token from the return url. You can just use local host and let the redirect fail and grab the access token and close the browser programmatically.

To add to the other replies: you don’t need to keep the ClientID secret as they are conisdered public information

As per the guide - Getting OAuth Access Tokens | Twitch Developers

The ClientID is added to the URL that users click on be redirected to Twitch

The ClientID is then visible in the address bar when people click the accpet/decline button.

A clientID is kinda like the “machine friendly” name of your Application.

it’ll also be visible in any requests your code makes from the wrong end when using console or network montioring

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.