I’m feeling like i have bigger holes in my understanding than i thought i had. I’ve been trying for hours to try and extract the #auth token from the redirect on localhost while trying to implement the OAuth/OIDC code flow. Ideally i want to use OIDC Implicit Code Flow as i don’t intend of having a backend. I just want this to run on a website.
Firstly, i am running a .html, .css, .js combo on my local PC.
I’ve set up a button in html to run a function in the javascript to redirect the user to the authentication.
<button type="button" onclick="OAuthLogin()">Twitch Login</button>
The function uses window.open() to redirect the user to a new tab. (I’m not using claims in the url yet for simplicity)
I do have the correct client id in place of in the url.
var AuthWindow = "";
function OAuthLogin()
{
AuthWindow = window.open("https://id.twitch.tv/oauth2/authorize?client_id=<MyClientID>&redirect_uri=http://localhost&response_type=token&scope=user:edit");
}
This opens a new tab with ‘about:blank’ in the address bar initially. After a few moments it changes to:
http://localhost/#access_token=<token>&scope=user%3Aedit&token_type=bearer
I’ve tried to extract the url via the window object returned, such as: AuthWindow.location.href, AuthWIndow.document.url etc… but they all return as blank or about:blank. Hence why i think this is a timing issue, and then becomes a security issue?
I have tried to add code to see if the new page had finished loading, but even put immediately after the call, .onload and readystate trigger immediately and say it is complete whilst it still says ‘about:blank’ in the address bar.
EDIT: I forgot to mention i tried addind event listeners to the new windows document, but they never triggered, i tried checking for load, change, hashchange, message. None triggered, i believe because it was already considered to be readyState : complete.
I tried to have another button on the first page to access and check the details after it had finished loading by storing the return of the window.open() but then i get this error:
scripts.js:85 Uncaught DOMException: Blocked a frame with origin "null" from accessing a cross-origin frame.
at GetAuthURL (file:///D:/Projects/HTML/CommunitySite/js/scripts.js:85:32)
at HTMLButtonElement.onclick (file:///D:/Projects/HTML/CommunitySite/Community.html:44:47)
So i’m pretty stumped. I feel like i’m missing some basic knowledge which makes it painful to ask for help here, i’ve been trawling through many articles online but i can’t seem to find a solution to this.
The redirect i open up showed me originally the usual Twitch auth page i expected and i hit accept, but since then it now just shows the URL as i stated, but the content of the page itself says:
This site can’t be reached, localhost refused to connect
So is it also a big problem that i’m doing all this on my local machine?
Again, i’m trying to extract the # info from the URL, but due to timing/security/something… i can’t seem to get access to it to feed the token back to the original script as a variable.
Any help on this would be greatly appreciated… and sorry for my lack of basic knowledge on this.