Getting Access Token after Authentication

I am creating a Windows Application in C# that requires logging in the user via the Twitch API. A quick disclaimer- I am new to both the Twitch API and C# (only writing in this so I can create a Windows App), so bear with me.

So far I have accomplished the following:

  1. The user presses the login button and is redirected to the twitch login page
  2. The user is able to successfully accept using my application and the defined scope (defined in the GET parameter of the url)
  3. The user is redirected to my redirect_url (which is currently a http://localhost page) where their access token is visible as a GET parameter

Now, if I am understanding this correctly, I am going to have to access that access token from my C# program to be able to make the correct GET/POST requests to the API to perform the actions specific to the user. I am not sure where to go from here. How can I pass the token back into my program- is it even possible? Maybe a request of some sort?

Just for testing purposes, I manually hard-coded the generated token and made a GET request to the API, and I was able to successfully pull the user’s information.

Any help is appreciated. Thanks in advance.

You have to send a GET request with Authorization header. :wink:

Exemple with js :"GET", "", true);
    req.setRequestHeader("Authorization", "OAuth " + hash_GET["access_token"]);

This suggests you have used implicit auth?

Did you get a code or a token in the URL?

If it’;s a token in the # section of the URL you are on implicit auth and can use that in the header as suggested.

If it’s a code you need to perform the next step of the oAuth dance and exchange your code for a token

Step 3 On your server, get an access token by making this request:

See this is where I’m stuck. I can make that call from a script running on the redirect page, but that doesn’t help me with getting the token into my application. If I make a GET request from within my C# code, I obviously don’t have access to the hash from the url… :confused:
Am I looking at this the wrong way?

I am using implicit auth so yes, it is an access token.

With implicit auth the access token is returned in the hash from the URL.

If you can’t obtain the hash from the URL, then don’t use implicit auth.

Implicit Auth is sorta designed for Client Apps that you give the whole code to the user. In order to protect/not leak your secret. As oAuth Authorization Code Flows need the secret.

Implicit Auth’s also cannot be renewed, so every four hours or so, your access code will die forcing you to make the user authorize again.

You probably want to be looking at the oAuth Authorization Code flow for most use cases.

Okay, that makes quite a bit more sense haha.

But how would you recommend I go about making the necessary requests in my situation? If I run the POST request from my redirect page (which is just a php file on localhost running a JS file) I will have access to the code in the URL but my token will only be accessed from there, correct? However, if I try to make a request from my Application, I will not have access to the code in the URL…

I am having trouble figuring out how to make the browser-based authentication communicate with my Application.

What do you need to do in your application?

If your application cannot raise a webserver on a localhost port it makes authentication “interesting”.

It’s possible to make users copy/paste things into you application however.

I honestly hadn’t even considered users entering their code manually because I was trying to make the situation as seamless as possible lol. I am first going to try to have my application raise a webserver on a localhost port, as you said. Otherwise, I will have them enter it manually.

Thanks for all the help!

If you have a website you can do something like Spotify : appname:data-information

<a href="spotify:artist:4F84IBURUo98rz4r61KF70">The White Stripes</a>

Or you can use a webview.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.