With the Implicit Auth Flow it can’t be done without opening a website in the browser, so it’s always intrusive (it requires a local webserver to retrieve the token). With the Auth Code Flow it requires a client secret, so at least part of it has to be done on a server, not the client.
Currently the app runs on the users computer, open the Twitch Auth Page for the user, gets redirected to localhost, grabs the token and stores it locally.
I don’t like the idea of all my users access token having to go through my server, it just adds another possible security vulnerability. Currently each client only communicates with Twitch to get a token and the token is then stored locally, so the only way for a token to be leaked would be if the users computer is compromised or the user shows it on stream or something. But if all the tokens have to go through my server then if my server is compromised or the tokens would accidentally be logged somewhere (even if I don’t store them on purpose), then a whole lot of login data would be leaked all at once. Depending on whether the client secret is leaked as well (and when the leak is noticed) they could be used for a while.
But let’s just assume that the server is secure. How would the client even get it’s token through it? Obviously I can’t just have the client send the Refresh Token + Old Token
and receive a New Token
from the server, because then everyone could essentially use my client secret to request new tokens. So the server needs to somehow know which clients are allowed to request a token for which refresh token. I could make the client store some kind of token so it can identify itself to the server, but that would have to be stored locally on the users computer alongside the refresh token and access token, so if the refresh token and access token would be leaked somehow, my server’s token would probably be as well, allowing whoever would maliciously want to use it to request new tokens through my server.
I just don’t see how it really adds a lot of security. It doesn’t fully solve the problem of the token being leaked (only if somehow really only the token would be leaked), but it adds complexity and adds new possible security issues. It makes sense if it’s a kind of application that needs the access token on a server anyway, then you just have to accept that. But for a purely clientside application I’d rather not have my tokens go through a third-party server, if I can help it at all.
If some apps could have a longer expiration time (maybe having to apply for it), then going through the Implicit Auth Flow e.g. once a month wouldn’t be too bad, but it would still prevent tokens that have been leaked and forgotten years ago to still be valid.
Fast expiring tokens make a lot of sense in the context of any apps that live in the web, since especially in that case it’s possible to leak a lot of them quickly if there is some kind of vulnerability on the website or server. But for a clientside app where everything is happening locally, it would mostly just be single tokens being leaked through the users own doing, like loosing an USB stick with a backup on it or their computer being compromised.