I was wondering if there was a way to have more than one Redirect URI for a Twitch Application. Since each part of my application is “separate” from the others having one entry point after authentication isn’t that feasible.
I was just curious if there was a way to use a comma delimiter string to have 2 or 3 Redirect URI’s or a wildcard so all child pages of a domain name will be allowed.
I know I can create multiple Applications but then having to manage multiple public and private keys wouldn’t be the most effective. If anyone has any ideas or suggestions, it would be a great help.
Thank You. And if you have any questions about what I’m asking, I’ll be more than happy to answer them.
You can only have one redirect URL per application. What I would recommend is have a single “landing page” that will accept the token response and then redirect the user back to the correct part of the application based on where they were located before starting the auth handshake process.
You could store this info in the
state param so it will be accessible to your application after the auth handshake is done.
(This may only apply to the authorization code flow. I’m not sure if implicit supports
state for not.)
Thanks for the quick reply. I really appreciate it.
If anyone else is having an “issue” similar to mine and have the need to have multiple URL’s with API Access, here is the solution I ended up using in the end. It only took me about an hour to update my old Token Implicit Grant Flow method to the Authorization Code Flow method.
The first thing is to create the authorization file on your server. I didn’t have the need to store tokens since I don’t need to access user information when they are offline. The file should simply perform the POST request to
https://api.twitch.tv/kraken/oauth2/token with the proper POST data. More information on Twitch’s GitHub.
I also implemented a unique key for each request that I pass as
state with the initial authorization request. I verify that the returned
state value is valid, this helps prevent CSRF. If the value isn’t valid, I don’t make the above authorization request and show a warning to the user.
Along with the CSRF
state value, I also pass a redirect URL in the
Hopefully this makes some sense and will help at least one person.