OAuth Implicit Code Flow (User Access Tokens) Expiration?

API
1

Have a probably stupid question here. In double checking the Authentication documentation, I know that it is mentioned that tokens must be refreshed moving forward. However, when reading the documentation for OAuth Implicit Code Flow (User Access Tokens), there isn’t a refresh token returned, it has only ever returned the access_token. Now, I know later it is mentioned that “application tokens cannot be renewed” but does that mean that this type of token does expire in X hours/days, without reporting back the expiration time?

From the docs:

  1. If the user authorizes your application, she is redirected to your redirect URL:

https://#access_token=
The access token is in the URL fragment, not the query string, so it will not show up in HTTP requests to your server. URI fragments can be accessed from JavaScript with document.location.hash.

The response includes the nonce and state parameters, if they were in your request.

In our example, your user gets redirected to:

https://localhost#access_token=pk2bh6y1vi8mrn7l67bp9i6dpg2wnk
&scope=viewing_activity_read
&state=c3ab8aa609ea11e793ae92361f002671

This is the type of token that I currently use in a couple of apps to obtain chat_login, for example, and I use when I lose the Oauth in Chatty. So that said, are these tokes of access_tokens also going to expire and if so, does this mean that I need to swap over to OAuth Authorization Code Flow (User Access Tokens) instead.

2

Implicit code flow is meant for entirely client-side applications and such applications generally run the user through the login flow once per session, and sessions are unlikely to last longer than the token does (at least that’s how it should be).

3

Right, that is my understanding of the flow, and what I use for generating Oauth for logging into chat with applications like Chatty. So, if it doesn’t expire, then great. Otherwise, I mean, that becomes a bit of a pain.

Thanks for clarifying!

Cheers

4

Custom applications like Chatty can implement refresh tokens or prompt for re-authentication when a token expires so it’s not an issue.

Plain IRC clients will be a problem unless there are alternate means of generating tokens for them.

5

So, the tokens will expire then is what you are saying?

6

Based on what the roadmap says, yes.

7

That’s the reason i need constantly relogin into Chatty over and over again every 2 hours?

I was modding in a channel with over 1k viewers and gets constantly bugged that my login was not working anymore.

Sry but that’s not really user friendly :frowning:

8

Roadmap aside, I am reading the v5 documentation which seems to indicate that the future is now in terms of refresh tokens.

9

Implicit flow does not have refresh tokens, it’s meant to authorize single sessions in entirely client-side applications.

2 Likes
10

That Process was working until this time the last Problems of Twitch …

since that it’s not working anymore for me

11

Is there any update on this? It seems that tokens for newly registered applications only last for a few hours.

This is a problem for clientside apps which don’t live in the web, because users have to open a browser to authenticate again. It’s just not practical to ask users to do that, especially during a stream (which can easily last longer than a few hours). And getting a refresh token isn’t an option because it requires a client secret (Authorization flow), which can never be stored securely in a clientside application (at best it would be obscured in some way, e.g. by being compiled).

1 Like
12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.