I have the login link working for my site to openID login with twitch. The redirect provides me with a code, and I am sure that I will be able to get the Oauth info that I need from there as it is described well in the twitch documentation.
The question that I have is how do I determine that a user is who they say they are after they are redirected to home page of the site for example. Do I have to run a bit of JS in the redirect page that stores the code as a cookie and reference that in my server database? That feels somewhat insecure (never built a web app before so I may be wrong on this bit) and after the first time that I used the link I had a cookie that I am pretty sure I didn’t place there. I’m just wondering what the standard/proper way to implement this verification is.
Also, how should I generate my state strings? I am thinking that I could put a dummy url in the place of the authorize url, which is then caught by the program that I am running, and redirects to the actual authorize url with a generated state string. IE /twitchlogin redirects to https://id.twitch.tv/oauth2/authorize?response_type=code&client_id=&redirect_uri=<REDIRECT_URI>&scope=openid&state=<GENERATED_STATE>
Does anyone see any problems with this particular method?
Depends on the language you are using, and your server architecture.
Most programming languages for web, will suggest or provide a session management solution. It’s up to you to take that provided structure and create a secure method of maintaining a login to a site.
You’ll even find the a CMS you are using provides it, and all you need to do with the oAuth redirect is create a user, using the createUser function in said CMS, and call the login/sessionState function for the newly created or looked up user.
However you want, if you need a state and want to use a state then do so, it’s not required. It’s benefical for passing data via Twitch back to you, like a temporary session ID (generated by your session manager) or something more “simple” like the redirect destination after login (complete login then redirect to the post on a forum the user wanted to reply to for example).
There is no rule or official way to generate a state string.
Unfortunately, I am using golang which appears to not have a session system by default and I would have to add something like gorilla/sessions. After doing a bit of reading, I think that I will be able to write what I need without it for now.