I’m building a long-lived (e.g. during an entire broadcaster’s stream) desktop chatbot application.
In my case, I do not want to interrupt the broadcaster in the middle of their stream to refresh their (user) access token.
If I use the code grant flow, this gives me a refresh token that can be used in the background to do this. However, using that flow requires storing the client secret on their computer.
On the other hand, I could use the implicit flow. This doesn’t require the client secret, however the lifetime of the token is really really long, roughly 60 days.
Ideally I could use PKCE so I don’t have to store anything at all, but this isn’t yet supported (vote at Add PKCE Support to the OAuth2.0 Authorization Code Flow – Twitch UserVoice)
So, I’m curious what other devs are doing to solve this problem?
I’ve thought to use the OS vault, realistically I’m only targeting Windows since this app also talks with OBS (and the other distros of OBS don’t get much love).
Otherwise, it becomes a bit of a chicken-egg problem of hashing the secret, but what hashing the secret hash, and hashing that…Or, I ask the user to install 3rd party vault software which doesn’t sound so great…Or, I need to spin up a web service somewhere that uses HashiCorp Vault and then let the user get their secrets from there (not willing to do a cloud deployment of anything atm, for cost reasons)…All this, as I understand it, to protect against malicious software hacking their PC and stealing those secrets. The impact wouldn’t be great, considering the token has channel:moderate scope…So, yucky.