OAuth authorization code flow security


For the authorization code to get the user access token,


is it safe for the user or anybody to be able to see the authorization code or do I have to hide it in the server or something. I’m using nodejs.

That code is immeditely exchanged for an access token (by you)
That code can only be used with your Client Secret.
That code can only be used once.

The general advice is to grab that code, do stuff, and then auto redirect.

Then it avoids users F5-ing and getting an error as the code is used/now invalid

There’s a brief moment where the access code can be seen in the URI on the client side. When I try to do everything in the server I get a lot of cors related problems.

What I did was parse the URI and then send a post request back to the server side to get the access token.

Is there a better way to do this?

You are doing nothing wrong.

This is HOW oAuth works.

  • You send the user to Twitch,
  • They accept the connection (or decline)
  • If accept then then get redirected to your website and you get a code in the URL as a query string paramater

The Code is a one use string that you use to exchange for an access token.

It’s useless to anyone else and is not considered a “secret” that needs to be hidden.

That ?code= is not an access token.

If you were using implicit auth you get a #access_token and you don’t need to really hide that as it’s the users own token.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.