OAuth (almost) without a webserver

I am working on a singleplayer video game, in which I would like to add support to Twitch tools such as polls and chat.
To do so, I need to get an OAuth, and the problem I have faced is the lack of webserver to send the token to, considering this is a local, singleplayer game.

However, while looking for answers, I found a clever way to deal with this issue, without having security issues to my knowledge :

  • Before sending my user to the oauth2/authorize URL, I start a small, local http server on their machine, listening to port 8080.
  • When their browser gets redirected to http://localhost:8080, I retrieve it, return a simple “thank you” html page, and close the http server.
  1. Is this okay from a ToS standpoint ?
    This functions marvelously, it’s fast and crossplatform, and seems like a good solution for my “singleplayer no server” situation. But am I ALLOWED to do that?

  2. Is this okay from a security standpoint ?
    From what I understand, the user’s browser gets redirected after getting the oauth token. So I feel like it’s safe since the oauth token doesn’t even leave the user’s computer, being a “localhost” call. However, I am not a web, nor a network developer, so I’d like to make sure I’m right.

Thank you

What you describe is basically what the Twitch CLI does. So yes htats fine.

Additionally the alternative is you have a github pages page that will use implicit auth and just display the user their token, then they can copy the token from that page to your game. Example: Twitch Implicit Auth Example

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.