I’m wondering what the recommendation would be for distributing a desktop application that consumes the Twitch API?
I’m building my desktop app with C#, and I’m using the IdentityModel.OidcClient.Browser and Microsoft.Web.WebView2 packages. (for those familiar)
I can already prompt a user to log in via the browser, return back to my app, and make API calls.
I’m simply wondering at this point if there happens to be another way to authenticate WITHOUT keeping a Client ID in/with the application? I have it working WITHOUT a Client Secret already, so that box is checked.
Once “out in the world” there’s nothing stopping someone from taking a peek, and using my Client ID/RedirectUri and doing the same thing as I am, just with/as my client.
So I’m just a little confused how client-side apps outside of the browser (mobile/desktop) stay secure(ish)? In terms of sharing the Client IDs I’ve made myself.
Is there a part of this I’m missing, or is my idea/concern basically how it is and desktop apps aren’t really recommended…unless of course you make your users go through the process of creating a Client themselves?
You can use a custom auth system and crate a session between your app and a server then have them login through web browser or in app browser.
Or if you don’t have a sever for persistent auth, then use an in app browser session or something and use implicit auth and grab the access token from the return url. You can just use local host and let the redirect fail and grab the access token and close the browser programmatically.