I was wondering if there was a way to have more than one Redirect URI for a Twitch Application. Since each part of my application is “separate” from the others having one entry point after authentication isn’t that feasible.
I was just curious if there was a way to use a comma delimiter string to have 2 or 3 Redirect URI’s or a wildcard so all child pages of a domain name will be allowed.
I know I can create multiple Applications but then having to manage multiple public and private keys wouldn’t be the most effective. If anyone has any ideas or suggestions, it would be a great help.
Thank You. And if you have any questions about what I’m asking, I’ll be more than happy to answer them.
You can only have one redirect URL per application. What I would recommend is have a single “landing page” that will accept the token response and then redirect the user back to the correct part of the application based on where they were located before starting the auth handshake process.
You could store this info in the state param so it will be accessible to your application after the auth handshake is done.
(This may only apply to the authorization code flow. I’m not sure if implicit supports state for not.)
The scope parameter appears to work inside of the Implicit Grant Flow method, but you will then need to use Javascript to redirect the user to the proper location since the variable appears in the fragmented URL, which isn’t the best method but may be one of my only solutions unless I switch to the Authorization Code Flow, which I probably will do.
Thanks for the quick reply. I really appreciate it.
Updated Response
If anyone else is having an “issue” similar to mine and have the need to have multiple URL’s with API Access, here is the solution I ended up using in the end. It only took me about an hour to update my old Token Implicit Grant Flow method to the Authorization Code Flow method.
The first thing is to create the authorization file on your server. I didn’t have the need to store tokens since I don’t need to access user information when they are offline. The file should simply perform the POST request to https://api.twitch.tv/kraken/oauth2/token with the proper POST data. More information on Twitch’s GitHub.
I also implemented a unique key for each request that I pass as state with the initial authorization request. I verify that the returned state value is valid, this helps prevent CSRF. If the value isn’t valid, I don’t make the above authorization request and show a warning to the user.
Along with the CSRF state value, I also pass a redirect URL in the state value. Once the user is successfully authorized I will redirect them. I did some parsing to the redirect URI that I pass to make sure it stays on my website and doesn’t contain any Cross Site Scripting code. If you want, you can redirect the user and include the token in the fragmented URL so you don’t have to change any existing javascript you have on your site. When redirecting based on URL parameters, make sure you don’t leave your website or include a white-list of allowed URL’s.
Hopefully this makes some sense and will help at least one person.