Authentication + Websockets

My application wants to let users log in using Twitch. I redirect them to the twitch page and they authenticate and I get the OAuth token from the kraken authentication API.

My question originates from reading this piece of documentation:

This section applies only to developers who use Twitch to enable users to log into their applications. In these cases, Twitch ensures that users who identify themselves on third-party Web sites are who they say they are.
Twitch requires that applications using Twitch OAuth 2 authentication for login validate the access tokens with every request. That is, if your service uses Twitch as a form of authentication (to verify that a user is who he says he is on your platform), each request to your service must validate the continued viability of the access token.
Twitch periodically conducts audits. If we discover an application that is not re-validating access tokens (that is, an application that validates only for login and not thereafter), we may take punitive action, such as revoking the developer’s API key or throttling the application’s performance.

My use case is essentially getting the User ID from Twitch’s v5 GET API after they authorize and storing said User ID as a way to uniquely identify a Twitch user. Then, they are primarily communicating with my server alone through a websocket opened once, and I almost never need to talk to Twitch again after that. Users have to re-authenticate if they close the connection (the page, or disconnect, etc.), but that’s about it.

Should I set a timer to re-check the oauth token every 10 minutes? Every 5? Whenever the root URL says my token is going to run out? How do I make sure I’m validating properly and within the limits of the rules here? I don’t want to validate for every single command piped either way through my websocket because that’s a sure fire way to get rate limited, as there are hundreds of binary commands going back and forth between my server and my users.

I would really appreciate any guidance on the subject!

I have a similar question, given the reliability issues with the API, I let folks authenticate once, then give the user the power to delete all their data from a system that belongs to them if they wish to cease using it. They don’t even have to disconnect in Twitch, which some folks don’t even know exists, I think. The reason for this design was, when I was trying to check the API on a consistent basis for authentication purposes, it was coming back with failures (especially during that time period a couple of weeks ago) and I didn’t want to deal with it anymore - having my service depend upon a service that was going down every other day just wasn’t ideal.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.