OAuth User Token without Server

Hi there!

I’m working on a script for Twitch streams with OBS. This script shall display the stream chat in the stream and write a message to welcome new followers.
For writing a message into the stream chat, the script needs a user token. And therefor, I need a redirect URL. And that’s the problem.

This script shall work as a single script (pure JavaScript, HTML and some CSS), which can be selected as an OBS local browser source. There shall be no server, no port listening or anything else. Just the script.

Due to atomic redirects and cross origin policy, the script is unable to get the user token. It doesn’t work in Chrome or Firefox. Though it does currently work in OBS (propably due to missing or deactivated security policies), I want to fix this in case OBS fixes these security issues.

The script is open source. You can view it on GitLab (https://gitlab.com/Winder/winders-obs-chat-bot-for-twitch).

I hope you can help me. I’m working on this issue for weeks and am running out on ideas.

You need a proper bot really.

Also followers don’t really like to be welcomed in chat especially lurkers. But do what works for the stream

You need implicit auth, since you need chat write powers/ability to login to chat to send the thanks for follow message


I really wouldn’t do it like this. But it can be made to work like this.

Server side using webhooks for follow notification and repeat follow de-duplication and a long running bot would fit better.

A lot of stuff like this is disabled in the browser source, since it’s essentially a headless browser and “workarounds”/alternative access is needed

1 Like

Wow, thanks for the (very) quick response!

I’ll try this implicit authorization and write a new reply with the result.

I’m afraid, but authorization via implicit code flow doesn’t work. The script in your example doesn’t work either. I’m still getting redirected and am not able to get the token, because on my local machine is nothing listening on a port (so redirect fails) and the script is not able to access the window’s location hash (due to cross origin policy).

If it doesn’t work then you’ll need to do it another way. I’m assuming you are on file:// instead of having it served from a server, so you are probably out of luck here. I do all my stuff via server since it’s just easier to manage the keys

Auth is better held on a remote server so it can be auto refreshed/managed nicely. Without leaking your secret

The alternative is that a user gets a token from somewhere and manually pastes it into your code/query string argument in OBS, but then when the key dies (even using implicit) it’ll require user interaction, as manual copy paste probably means implicit auth and when that key dies you don’t have a refresh token to auto renew,

Yes, that’s exactly the case. That’s why I have all this problems. Do you - or any other - know a solution to my problem?

I’d use a server as then you have better control over token management.

I can’t use a server, because the script is ment to run on local machines. The idea behind the script is, that it runs without any third party (even without my own server as a third party).
Even if anyone else want to use the script, he / she just has to get the script, enter the credentials and it works.

Then you are stuck as you need to use a server to get the token, even if that token is then copied and pasted to the script.

The alternative to this is a downloadable program, as something like electron can capture the return in various ways, and then serve the content/script off a local webserver.

But it’s just easier to remote host it all in my opinion.

That’s exactly the reason why I came to this forum. I couldn’t find a solution for myself and am asking for help.

The only option is have your oauth url redirect time local host which doesn’t exist, but the auth token will be in the url, then have them copy paste that into your webpage as a query string then embed it, but they will have to redo that manually around every 60 days or so.

I suggest that already :smiley:

That won’t work, due to cross origin policy.
Because Twitch doesn’t allow the login page to be embedded in an iframe, I have to use a new window. But I can’t access the window’s location, due to cross origin.

But thanks to you, I got a new idea, which I didn’t try yet. I’ll write the result as a new reply next week (because I’ll get a busy weekend).

Hi there,

I’m sorry, but due to the new chat security feature, which disallows embedding the chat in an iframe, if no parent is provided, I had no time to work on this problem, but rather worked on that new one.

I let you know whether my idead works as soon as I have tested it!

yeah file:// is not supported for chat embeds.

And in your case, I’d of thought you’d be connected to chat as the bot and processing/display the chat so no need to embed the iframe.

Yes, that’s right. But I did embed it. Now, I’m working on an own way to display the chat messages I receive. And I’m nearly done.

Hi there,

finally, I had time to work on the idea I got. Unfortunately, it did not work.

I tried, like WLG3R wrote above, to let the redirect go to a localhost, which doesn’t exist. But I could find no way to retrieve the URL from that redirect. I tried it with XMLHttpRequest, the new Fetch API and an iframe. None of them did reveal the URL of the failed redirect.

Electron the desktop program can capture the failiure.

Or you get the user to

copy and paste the token from the URL of the broken redirect

Or you throw a page up on GitHub like this


Which’ll return the users oAuth token after implicit auth for the user to copy and paste from GitHub to your program

1 Like

I don’t want to use a third party software or a desktop program. Just JavaScript.

That is not really a solution, because the UserToken is valid only for a couple of ours. In a 24 hours stream, the user would have to open the script and enter a new token, multiple times.

Same answer like the first one.

Thanks for all of your help. But it seems, there is not even one way to get it done without a server or anything equivalent (like third parties).

Implicit lasts about 60 days. You won’t have to worry about it mid stream if you just generated it. And on load check the validity of it’s short or expired ask to login again.