Basically I have a telegram bot that sends this link to the user so he can authenticate:
https://id.twitch.tv/oauth2/authorize?client_id=myclientid&redirect_uri=mysite/redirect&response_type=code&scope=user%3Aread%3Asubscriptions&nonce=telegramID+randomletters
when i get the response on mysite/redirect i can get the telegram user id from nonce (and then do nothing else related to nonce). I don’t understand too much how nonce works (and reply attacks) so i am asking: is it safe doing like this or should i save nonces that i receive and block duplicates? There is another way to pass the telegram id?
I feel like i’m missing something obvious and these questions are dumb but i don’t know the answers, any help is very appreciated!
Well for response_type=code when not using OIDC nonce isn’t supported/documented.
It’s state for this flow.
nonce/state are used as a defence against CSRF attacks, so a request/work flow can only be run once and can’t be run again and misdirected to another service.
Further reading is here Cross Site Request Forgery (CSRF) | OWASP Foundation
It shouldn’t really be used for storing/relating the telegramID.
Normally you’d have a user come to your site.
Login with Telegram (if thats supported)
Store data in the session, such as the Telegram ID
Send them off to Twitch
They come back and you recall the data you need from the session.
In this example the TelegramID isn’t “leaked” to Twitch since the state is used to contain the CSRF token, and not the telegramID.
Thanks. I should study more to fully understand your answer, for example the last part isn’t clear for me.
The user in my case doesn’t login with telegram on my site, i would like to let the user do everything only in telegram and click the link. You say to ‘‘store data in the session, such as the Telegram ID’’, in my case what would be the session you are talking about?
Yes
if they did login then you’d store the “telegram session” in the session so when they leave the site to twitch auth and come back yo ucan recal it.
Since you can’t/don’t login with telegram
Then you either ask for the telegram ID before Twitch Auth and store it in session.
Or they Twitch Auth and then you ask for the telegram ID. Which probably wouldn’t need a session.
In both cases you don’t to send the data with/via Twitch to come back to you.
You either store it locally in session (or localstorage or a cookie or something).
Or you ask for it after Twitch Auth
Now i know what to do, thanks so much for your support!
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.