Tokens security best practice

Hello, I’m building my first Extension that involve a desktop app and an EBS.
I’m thinking about how securely interact with my EBS. Right now I made this communication between all systems

State token will be used only to retrieve access token from EBS at startup/after first login, it will be deleted if access token will be invalidated for any reason forcing for a new login.

But I’m thinking the weak point is asking for access token with state token created at login time. Since I store it on where desktop app is, I’m wondering if I can simply store the access token and use it, like this:

In first scenario I store access tokens only on my db and nowhere else, EBS will validate them each hour (as twitch demands) and refresh it when needed.
In second scenario It take less time to get access token but I store it where desktop app is.

I still don’t feel secure about this system and wondering how can I improve token system desktop app.
Any suggest where can I put my effort on?

For an extension that needs a desktop software this is my apporach

The streamer can obtain a different kind of token from the extension config view, and that token is copy/pasted (or magic relayed) to the application.

Saves any faff with Twitch tokens as I have my own authentication method between desktop app and my EBS.

Since this extension doesn’t need additional Twitch permissions I don’t need to do a streamer Twitch oAuth loop to get a token. I just need to secure traffic between Desktop and my EBS.

Logically this could also be custom user authentication between desktop and server (such as what a number of games do in their game launchers for example, you login with a game launcher account and that talks to the server which holds all the account links)

I have another Application where the oAuth token is generated in the Desktop app and is only stored in the desktop app, since it’s the users own App. And the token is used to communciate with my EBS as needed.

Both of your approachs however are valid and seems OK to me, as it’s fine for the users own token to be stored with the user since it’s the users.

I’d potentially house oAuth all in the app, and the app talks to the server by passing up the users oAuth token. And that works to validate traffic to/from Desktop app and your EBS.

Thanks for the reply and for sharing info with me.

I think I need Twitch token due to Bit-in-Extension enabled, getting broadcaster user info (for future expansion of my system) and sending messages on broadcaster chat.

That really lifts me up, I thought night and day to achieve this solution and I’m very thorough about security and always think about worst scenario

I started with this, but in another thread you pointed me that I need code flow token and I can’t do that all in app due to secret involved.

Nope you don’t bit’s in extensions doesn’t require oAuth from the streamer.

It’s External JWT (or broadcaster JWT) both of which can’t be generated Desktop App side

Also no this doesn’t need an oAuth token from the streamer.

It’s External JWT (or broadcaster JWT) both of which can’t be generated Desktop App side

Thats all public data, so you either need a users token (if you know nothing else) or their userID/login to call Get Users with.

So yes in a desktop app you might do that, but then however you control access between software and EBS then the EBS might know from whatever jibberish is in the thing stored in the Desktop app.

I use implicit flow for token obtainment in a pure app only realm. Sure the user needs to login again every 60 days. But then in theory you could not store the users token between app restarts and login with Twitch every time the app starts. Which would be relatively seemless

I see, so I put too much effort on access token when it wasn’t needed :sweat_smile:
I can improve the system simply switching to implicit flow and use that token

It’s all learned stuff in the end!

The primary issue here is “how to have the EBS verify the desktop app is x user”

And you solved that or have the information/knowledge to solve that now.

Exactly, since I need it to let desktop app interact with extension in broadcaster page.
Well thx a lot for the help. I start working on access token again