Currently I’m working on a big mod / system for a game.
The system requires users to create an account to which then you can link streaming services including Twitch.
This means that in the extension I would need to either:
Display a login panel which I would like to handle via an iframe which would then return my system’s token via its cookies.
Make a call to the server and have a db lookup table to compare twitch usernames with my system’s usernames (the problem here is that there could be multiple users using the same Twitch account and you could impersonate someone else).
I don’t want to send the credentials to the server via plain text, I would like to display my service’s login panel instead.
Here’s my question. Is twitch fine with solutions like an iframe for authentication in 3rd party systems ?
Extensions are not allowed to use iframes. You would need to have a link that opens a new tab, but keep in mind that only config and panel views are allowed to have links, so you can’t do this for a video overlay or component extension.
You should use the users ID as a key, rather than username, as username can change over time.
Usually the way you would want to do linking like this is to have the user connect their Twitch account with your site on your site itself, not inside the extension. Once the accounts are connected you can simply have the extension request the user shares their ID so that their ID will be included in the JWT that you’ll send to your server which can then check the database for that Twitch ID, and if the user doesn’t exist you could display a message in the extension that they need to connect to your app on your website.
The linking works exactly as you have described.
After you will login into my system’s account you can link your streaming services there.
The problem is that I want to let people link the same streaming service accounts to different system’s accounts so multiple users could use the same Twitch account for example. In that case I would have no way of knowing which user from my system to get when trying to authenticate the Twitch extension.
Also thank you for letting me know about the links.
In that case the only good solution would be creating a panel extension with a link which opens a new tab for authentication.
You should treat a single Twitch account as a single user. If people were to share a Twitch account then should any of those users decide to disconnect from your app it’ll remove all connections for all users, and would add needless complexity because as you’ve said yourself you have no way of knowing which user on the system it is if multiple accounts on your system share the same Twitch ID.
A Twitch account can only have a single connection to an app. While it may be possible to have multiple users go through the OAuth flow and crew multiple Access Tokens, there’ll still only be a single connection between that account and your app, and as such if any of the users of that account disconnect from your app it’ll instantly kill ALL access tokens from that account to your app.