OAuth Token Refreshing Help


I’m still learning to code, let alone develop items using a sophisticated API such as the one provided by Twitch. I’m currently making an attempt at a chatbot for a buddy’s channel just to get some practice with coding and some of the industry standards that I might see once I’m out in the field. I’ve picked up Javascript for the first time to try and undertake this project, so I’m not super well versed, but I do know some things. i have the chatbot currently working by running it on my own computer through the command prompt. After some research, however, getting the Auth token can be troublesome for extended period of use (i.e. weeks). Not that he is going to be live for that long, but having to manually change the token out after a day or two could be a pain. Seeing as I’m running the bot on my own computer, Authorization Code Flow isn’t really an option, due to needing a client secret and not being able to store it securely, but I’m not opposed to changing where/how the bot is run.

To sum everything up, I was wondering what alternatives there are that would allow me to automatically refresh the token, i.e. Authorization Code Flow. Would I need to run a server of some sort? Would I need to create a website for the redirect uri? And if I would need to run some sort of server for this, do you have any documentation or websites that you can recommend I take a look at?

I’m only currently using the token to read information from the bits:read scope, but I have plans to expand it further in the future. Whether or not these expansions will require other scopes, I am unsure, but we can cross that bridge when we come to it.

Again, I’m new to the entirety of this sort of development, and I may be misunderstanding any of this information, but I’m more than willing to learn. Any help at all would be appreciated and if you need any further information, feel free to ask!

Thank you for your time.

If you’re running the bot on your own computer, and only there, then why would you not be able to store a client secret securely? In that case your computer basicially becomes the server the bot runs on. As long as you don’t distribute the client secret in any form (for example as part of your program, if you wanted others to host the bot themselves) it should be possible to store it so that nobody else can access it. Unless you’re concerned about the security of your computer in general, for example if multiple people have access to it.

Of course the question remains as to how you get authorization in the first place. That really depends. If you just want to get a token of your own account locally, then you could simply use localhost as the redirect URL and either manually get the information from the redirect and paste it into your bot (which will then make the requests using the client secret to get the actual token) or have the bot run a simple webserver on localhost so it can retrieve it automatically. If other people are supposed to authorize the bot to act on their behalf then you’ll need a publicly reachable website as redirect and e.g. store the tokens in a database that your bot (and nobody else) can access in a secure manner. Again, this all is given that you don’t distribute the bot to others, at least not containing any login data. If you wanted others to host the bot themselves they’d have to register their own app on Twitch for it, with their own client secret, and setup their own website.

I appreciate the quick reply!

I honestly got the notion that it was just bad practice to store it on your personal computer, to be honest. So it should be fine so long as noone else has access to my computer?

And as I stated before, I am making this bot for another person, who happens to live in another state. I’ve already used my own account to test that the code I’ve written works and pulls the information down correctly. At least for the integration that I want to put in now. I used localhost as the redirect url when doing this.

So the only issue would be setting up the server/publicly reachable website to have him authorize the bot, correct? This including some kind of database to house the tokens that the bot, and nobody else, should have access to? If this is what I need to do, would you happen to have any recommendations on guides or websites or such that could lead me in the right direction for doing that?

Also, just as a secondary thing, he does have a second tower at his home and has already stated he wouldn’t mind running it on that. Would this be an easier option? Give him the code, without any of the sensitive information, and walk him through filling out what he needs to and then walking him through the entire localhost token retrieving? And then from there, if coded correctly, it should be able to automatically refresh? Further, we’ve created an account just to act as the bot, would they still need to register it if it was already registered under that account? Or just need access to that account to get the Client-ID and such?

Lastly, I’m still slightly confused about the client secret. I thought I had grasped it, but I’m still unsure as to if it is something given to us or something that we create. If you could shed some further light on that regard as well, I would be very thankful.

Thanks for your time.

That’s how I understand it. The client secret is basicially a password to authenticate your app, so that Twitch knows that it’s actually your app wanting to request the token and not an attacker that somehow got hold of an access/refresh token. So the important part is that you keep it private. If it is bad practice to store it on your personal computer for a bot that runs on your personal computer, then I’m not aware of it. I suppose a personal computer could generally be considered less secure than a server, but then again this is for a program that pretty much just one person uses, so the risk also seems minimal.

Sorry, I can’t help you with any details, since I haven’t put it into practice yet myself.

It doesn’t really matter under what Twitch account the app is registered, they just need to get their own Client ID/Secret if they want to host your bot themselves.

According to the docs it’s shown to you once when you register your app on Twitch.

Aha! I missed that bit about them generating the client secret for me! Thank you very much for all of your help with this!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.