Hide ClientID in login with twitch request

riki95 · March 17, 2019, 1:29pm

Hi guys,

I have this button on my website:

< a href=“https://api.twitch.tv/kraken/oauth2/authorize?response_type=code
&client_id=[CLIENTID]
&redirect_uri=http://localhost:4200
&scope=user_read”>

As you can see it is a login with twitch, it takes my clientID and redirect to that url after the login.
When I am on the twitch login page, on the top I can see the CliendID in the URL.

Is this correct or it is a lack of security?
If it is, how can I hide the ClientID?

If it is something public or not problematic to share, let me know.
Thanks for the help

Dist · March 17, 2019, 1:44pm

Client ID’s are public, you don’t need to do anything to hide them.

Auth tokens, and client secrets, are private though and should never be exposed to any end user or to the public.

riki95 · March 17, 2019, 1:46pm

Actually, when the user logs in, twitch redirects to http://localhost:4200 and on the top I can see my url that looks like:

http://localhost:4200/#oauth=dfasgdsgasgas

So, the end user actually see HIS oauth, but it’s good right? Since it is his oaught and I use it to know the info that he allowed me to see.
Or there is a way to hide this content when he gets back to http://localhost:4200?

BarryCarlyon · March 17, 2019, 1:53pm

That is the correct and only way that implicit auth works.

User seeing their own oauth is fine, as it’s theirs. Additionally, an implicit auth usually has a shorter validity and no way to refresh it.

Dist · March 17, 2019, 3:05pm

As Barry said, with the implicit flow that is intentional and because of the nature of that has drawbacks and limitations, such as no ability to refresh the token (meaning you have to get the user to go through the auth process each time the token expires), and a shorter expiration.

If you use the Authorization Code flow, rather than getting redirected and having the token in the querystring param, you have a code instead which your server can exchange for an access token (and only your server can do this as it requires your client secret which the end user should never know). This also has the advantage of giving you a refresh token so that if the token expires you can refresh it without user interaction.

system · April 16, 2019, 3:20pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.