Oauth + 2FA with Electron

Lombra · March 19, 2017, 12:34am

Hi,
Newbie here. Never dealt with oauth before, but I think I understand the concept.

Trying to implement it in an Electron app, and I think I’m doing fine so far. I’m opening the Twitch authentication in a new window and using the implicit grant flow method, and after entering my password I get redirected to a page with this content:

{"redirect":"/twofactor/new?client_id=mi6jyhrlwjmi2h8wxk6yyx2urusseu2\u0026code=possiblysecretcodeilljustomit\u0026embed=false\u0026kraken_oidc_nonce=\u0026nonce=thisonetoomaybe\u0026redirect_uri=http%3A%2F%2Flocalhost\u0026request_id=\u0026response_type=token\u0026scope=channel_editor\u0026state=\u0026sudo_reason="}

Considering the fact that I’m using 2FA on my account I’m guessing this is related to that, but is there a right way to handle this? I’m guessing it’s just a matter of manually redirecting to the given URL, but I’m not sure why it doesn’t happen automatically. Electron’s ‘did-get-redirect-request’ event does not fire for this. (but it does for some other redirects)

Also, am I right in thinking I don’t need my client secret at all while using implicit grant flow? No sensitive source code?

3ventic · March 19, 2017, 11:39am

You are correct in that implicit grant flow does not need the client secret. I seem to remember someone else having the redirect issue on these forums close to a year ago, but I can’t find the thread or remember the solution.

Lombra · March 20, 2017, 2:35am

Myeah, I have searched quite a lot.

Did some more investigation. This is the URL I’m using:
https://api.twitch.tv/kraken/oauth2/authorize?response_type=token&redirect_uri=http%3A%2F%2Flocalhost&scope=channel_editor&client_id=mi6jyhrlwjmi2h8wxk6yyx2urusseu2

After submitting my login details, the following is printed in the Electron console:
Resource interpreted as Document but transferred with MIME type application/json: "https://passport.twitch.tv/authentications/new".
Don’t know if that’s of any significance. I don’t seem to get the same when trying it in Chrome. (where this does work, I forgot to mention) I also noticed the page content mentioned in OP is actually wrapped in HTML tags. Something similar seems to be discussed here:

Again, don’t know if that’s of any significance nor where this needs to be fixed. (if it does)

Also, after trying a dozen times I of course run into the captcha guard, but that also behaves the same way. Returning a page with some JSON error instead of redirecting me back to the login page, or whatever the intended behavior is. Don’t think the console notification was printed for that, though.

Lombra · March 26, 2017, 11:14am

Ok, it magically works now. Haven’t tried for a few days and not changed any code since I last posted. Guess something was fixed on the back end? Strange that it worked in Chrome, though.

system · April 25, 2017, 11:14am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.