Hiding Implicit OAuth Token


My website uses OAuth implicit code flow to get a token from the user.
Problem is, the site will be streamed to viewers meaning the address bar is visible thus the token as well.
Is it possible to get the token from a POST, or something else?
Since my scope is only “read:chat” and i just need an Oauth to query sub emotes, and badges. Is it okay to show the token?

As for the other OAuth code flows; i do not want to add a server, everything must run client side.

By not using implict auth.

if it’s gonna be visible on stream, generally speaking no.
As someone will likely just go revoke it and then you have to make a new one
Then someone revokes it again.

Then you are stuck really

The whole purpose of implict auth is to do auth without a server and show the users own token to themself.

1 Like

Appreciate the feedback!
i will consider my options then

I personally solved this possible issue by using a long search parameter on the redirect url to hide the hash part of the URI on load. Then I have a Javascript part which is loaded “onload” which looks like this:

// Clear location.hash for security purposes (So a user doesn't copy the link and sends their token to another user)
if(window.location.hash.length > 0) window.location.hash = '';
if(window.location.search.length > 0) {
	// Update URL
	let url = new URL(window.location);
	url.search = '';
	window.history.pushState({}, '', url);

Basically first removing the hash part from the URI and then rewriting it to remove the long search parameter part.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.