Any plans for PKCE implementation?

Genide · May 31, 2021, 4:49pm

I am building a standalone electron application. In the application, I want to get both a refreshable access token and ID Token. But this is not possible with Twitch’s current authentication methods. Twitch’s OIDC Implicit Code Flow authentication will allow a standalone application to get a token. However, the token is not refreshable. Twitch’s OIDC Authorization Code Flow can get a refreshable token. However, it means exposing a client_secret in my application.

To support my use case, there is PKCE (Proof Key for Code Exchange). PKCE an extension of OAuth2 that enabled standalone applications to use the Authorization Code Flow for authentication. PKCE does not require a client_secret to create trust between the application and Twitch’s authentication servers.

Is this on anyone’s radar?

Other notes:

According to best practices from IETF, implicit grant is not recommended for usage anymore. IEFT Implicit Grant Recommendations
Instead public clients should use PKCE Authorization flow (without client secret) as a method of authentication. IEFT Authorization Code Grant Recommendations

BarryCarlyon · May 31, 2021, 5:24pm

Sounds like you need a uservoice to submit a feature suggestion

I can and have got implict auth working in Electron. Just have to bounce via my server to relay to Electron via a custom URI handler/launch arguments.

However I generally use another auth method from app to my server, and my server retains the tokens

system · June 30, 2021, 5:25pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.