I am building a standalone electron application. In the application, I want to get both a refreshable access token and ID Token. But this is not possible with Twitch’s current authentication methods. Twitch’s OIDC Implicit Code Flow authentication will allow a standalone application to get a token. However, the token is not refreshable. Twitch’s OIDC Authorization Code Flow can get a refreshable token. However, it means exposing a client_secret in my application.
To support my use case, there is PKCE (Proof Key for Code Exchange). PKCE an extension of OAuth2 that enabled standalone applications to use the Authorization Code Flow for authentication. PKCE does not require a client_secret to create trust between the application and Twitch’s authentication servers.
Is this on anyone’s radar?
Other notes:
- According to best practices from IETF, implicit grant is not recommended for usage anymore. IEFT Implicit Grant Recommendations
- Instead public clients should use PKCE Authorization flow (without client secret) as a method of authentication. IEFT Authorization Code Grant Recommendations