I’m working on a script for Twitch streams with OBS. This script shall display the stream chat in the stream and write a message to welcome new followers.
For writing a message into the stream chat, the script needs a user token. And therefor, I need a redirect URL. And that’s the problem.
Due to atomic redirects and cross origin policy, the script is unable to get the user token. It doesn’t work in Chrome or Firefox. Though it does currently work in OBS (propably due to missing or deactivated security policies), I want to fix this in case OBS fixes these security issues.
I’m afraid, but authorization via implicit code flow doesn’t work. The script in your example doesn’t work either. I’m still getting redirected and am not able to get the token, because on my local machine is nothing listening on a port (so redirect fails) and the script is not able to access the window’s location hash (due to cross origin policy).
If it doesn’t work then you’ll need to do it another way. I’m assuming you are on file:// instead of having it served from a server, so you are probably out of luck here. I do all my stuff via server since it’s just easier to manage the keys
Auth is better held on a remote server so it can be auto refreshed/managed nicely. Without leaking your secret
The alternative is that a user gets a token from somewhere and manually pastes it into your code/query string argument in OBS, but then when the key dies (even using implicit) it’ll require user interaction, as manual copy paste probably means implicit auth and when that key dies you don’t have a refresh token to auto renew,
I can’t use a server, because the script is ment to run on local machines. The idea behind the script is, that it runs without any third party (even without my own server as a third party).
Even if anyone else want to use the script, he / she just has to get the script, enter the credentials and it works.
The only option is have your oauth url redirect time local host which doesn’t exist, but the auth token will be in the url, then have them copy paste that into your webpage as a query string then embed it, but they will have to redo that manually around every 60 days or so.
That won’t work, due to cross origin policy.
Because Twitch doesn’t allow the login page to be embedded in an iframe, I have to use a new window. But I can’t access the window’s location, due to cross origin.
But thanks to you, I got a new idea, which I didn’t try yet. I’ll write the result as a new reply next week (because I’ll get a busy weekend).
I’m sorry, but due to the new chat security feature, which disallows embedding the chat in an iframe, if no parent is provided, I had no time to work on this problem, but rather worked on that new one.
I let you know whether my idead works as soon as I have tested it!
finally, I had time to work on the idea I got. Unfortunately, it did not work.
I tried, like WLG3R wrote above, to let the redirect go to a localhost, which doesn’t exist. But I could find no way to retrieve the URL from that redirect. I tried it with XMLHttpRequest, the new Fetch API and an iframe. None of them did reveal the URL of the failed redirect.