I am building a mobile app and do not have a web server backend. I was going to use Oauth password authentication, but Twitch appears to block it on a case by case basis. When I try to authenticate, I get “Password grant not permitted for client ID”.
Since I don’t have a web server to redirect to, and since Twitch doesn’t allow redirecting to a non-http URI scheme, is it possible to get whitelisted to be able to use Password Grant? Who do I need to contact at Twitch to do so?
Twitch discontinued the Password Grant Flow, so unfortunately they will not grant any additional applications access.
As for how to go about implementing authentication on a mobile device, you would probably need to launch a local, high-port web server on the mobile device, as Twitch doesn’t support non-http(s) URI schemes that mobile devices support.
You could then configure a redirect to http://127.0.0.1 on whatever port you’ve bound to in order to grab the access code and request a token.
This seems a bit absurd. Are you sure?
I can grab the access token from the redirect (http://localhost/oauthCallback?code=######), but I don’t know how to get the final token using only Objective-C.
If you know how to do this already I’d recommend looking at the implicit grant flow. The final token will be included after the #.
@gareth, if you’re referring to presentLoginViewForClientID:redirectURI:, this seems to have the same problem in that it requires a redirectURI. More importantly, it seems to be completely broken. I tried it and got error 500 passing my username for the Client ID and http://localhost, or any other address, as the redirectURI; never even got the Twitch logon.
@george, I’ll take a look…any frameworks you recommend to do this on iOS?
@george, is it possible that this callback code I’m getting IS the final token? I’m fairly new to OAuth and documentation is incredibly poor.
The auth code is not a token, it’s an auth code. Please read the authentication documentation: https://github.com/justintv/Twitch-API/blob/master/authentication.md#authorization-code-flow
If it says “?code=” then that is not the final token (authorization code flow). If it says “#access_token=” then that is the final token (implicit flow).
@Praxis I believe you don’t understand how this works. You can set any URL as the redirect URL, as long as you set the exact same URL in your clientid settings as the APP. Then when you are redirected to that URL (on the client side) you read the authtoken out of the URL and fail the redirection. This is how OAuth based authentication is done industry wide.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.