I’m working on a script for Twitch streams with OBS. This script shall display the stream chat in the stream and write a message to welcome new followers.
For writing a message into the stream chat, the script needs a user token. And therefor, I need a redirect URL. And that’s the problem.
This script shall work as a single script (pure JavaScript, HTML and some CSS), which can be selected as an OBS local browser source. There shall be no server, no port listening or anything else. Just the script.
Due to atomic redirects and cross origin policy, the script is unable to get the user token. It doesn’t work in Chrome or Firefox. Though it does currently work in OBS (propably due to missing or deactivated security policies), I want to fix this in case OBS fixes these security issues.
I’m afraid, but authorization via implicit code flow doesn’t work. The script in your example doesn’t work either. I’m still getting redirected and am not able to get the token, because on my local machine is nothing listening on a port (so redirect fails) and the script is not able to access the window’s location hash (due to cross origin policy).
If it doesn’t work then you’ll need to do it another way. I’m assuming you are on file:// instead of having it served from a server, so you are probably out of luck here. I do all my stuff via server since it’s just easier to manage the keys
Auth is better held on a remote server so it can be auto refreshed/managed nicely. Without leaking your secret
The alternative is that a user gets a token from somewhere and manually pastes it into your code/query string argument in OBS, but then when the key dies (even using implicit) it’ll require user interaction, as manual copy paste probably means implicit auth and when that key dies you don’t have a refresh token to auto renew,
I can’t use a server, because the script is ment to run on local machines. The idea behind the script is, that it runs without any third party (even without my own server as a third party).
Even if anyone else want to use the script, he / she just has to get the script, enter the credentials and it works.
Then you are stuck as you need to use a server to get the token, even if that token is then copied and pasted to the script.
The alternative to this is a downloadable program, as something like electron can capture the return in various ways, and then serve the content/script off a local webserver.
But it’s just easier to remote host it all in my opinion.
The only option is have your oauth url redirect time local host which doesn’t exist, but the auth token will be in the url, then have them copy paste that into your webpage as a query string then embed it, but they will have to redo that manually around every 60 days or so.
That won’t work, due to cross origin policy.
Because Twitch doesn’t allow the login page to be embedded in an iframe, I have to use a new window. But I can’t access the window’s location, due to cross origin.
But thanks to you, I got a new idea, which I didn’t try yet. I’ll write the result as a new reply next week (because I’ll get a busy weekend).
I’m sorry, but due to the new chat security feature, which disallows embedding the chat in an iframe, if no parent is provided, I had no time to work on this problem, but rather worked on that new one.
I let you know whether my idead works as soon as I have tested it!
finally, I had time to work on the idea I got. Unfortunately, it did not work.
I tried, like WLG3R wrote above, to let the redirect go to a localhost, which doesn’t exist. But I could find no way to retrieve the URL from that redirect. I tried it with XMLHttpRequest, the new Fetch API and an iframe. None of them did reveal the URL of the failed redirect.
I don’t want to use a third party software or a desktop program. Just JavaScript.
That is not really a solution, because the UserToken is valid only for a couple of ours. In a 24 hours stream, the user would have to open the script and enter a new token, multiple times.
Same answer like the first one.
Thanks for all of your help. But it seems, there is not even one way to get it done without a server or anything equivalent (like third parties).
Implicit lasts about 60 days. You won’t have to worry about it mid stream if you just generated it. And on load check the validity of it’s short or expired ask to login again.