Hello,
I need to store the information to get a new access_token in a $_SESSION[’’]. If I encrypt the session containing the refresh_token. Would this be a problem? Would hacking information such as client_secret or client_id be a problem?
If it’s encrypt’ed how do you use it? Can’t use the token if it’s encrypted?
Under normal operation a $_SESSION should only be returned to the user that own’s it.
Since a PHP session only stores a Session ID on the users computer that matches to the session data stored wherever on the server.
If your concrned is someone hacking the information they’ll just take your DB and grab the tokens from there. The Encryptiong doesn’t help when it needs to be reveresable to read the true value.
but if someone with bad intentions found them what could they do? I store the refresh_token in a session but it is the only one, the secret_client is stored in a php scipt.
The refresh token is used with the client secret to make a new access token for that user.
If they broken into your server, then they have both of these from looking in the database/wherever sessiosn are stored, and the files containting the secret…
Both need to be stored (and if encrypted reversabley encrypted)
You wouldn’t normally store a refresh token in session, since a session doesn’t last forever, and conceiveable you’d want to store the refresh token for usage until the user unlinks your application. So it doesn’t make sense to have the refresh token in session.
Yes, because the session will expire one month after its creation. I think it will be safer in a session than in a database or in a cookie
the session will expire up to one month after its creation.
fixed it
The session could be lost of die way before that. Since a session relies on a client side cookie.
If you only want to keep user tokens for up to a month then you should be using implicit auth which will generate a token good for ~60 days and doesn’t provide a refresh token.
The whole point of a refresh_token is you store it in a database forever. Not for one month.
How do I get this 60 day token? How do I know if this token has expired?
An implicit token, last I checked was 60 days ish, the duration can and will change
Implicit is documented here https://dev.twitch.tv/docs/authentication/getting-tokens-oauth#oauth-implicit-code-flow
To check token validity call https://dev.twitch.tv/docs/authentication#validating-requests which will also give you the time left on a given token
1 Like
Thank you very much !!
I don’t know why but I am asked to send this line but it only returns the normal code and not a token.
GET https://id.twitch.tv/oauth2/authorize
?client_id=<your client ID>
&redirect_uri=<your registered redirect URI>
&response_type=<type>
&scope=<space-separated list of scopes>
Tha is a REDIRECT not a fetch
Create a <a href="">login</a> with that URL
Example project: Twitch Implicit Auth Example
GET describes the protocol to be used.
The Link doesn’t start with GET
Please refer to my example
thank you very much, i just have to see how to get the token when there is a # and not a ? between the url of the page and the information that i send back twitch
With javascript on the page
if (document.location.hash && document.location.hash != '') {
var parsedHash = new URLSearchParams(window.location.hash.substr(1));
if (parsedHash.get('access_token')) {
var access_token = parsedHash.get('access_token');
document.getElementById('access_token').textContent = 'Your Access Key from the #url: ' + access_token;
From the example I linked to https://github.com/BarryCarlyon/twitch_misc/blob/main/authentication/implicit_auth/index.html#L31-L35
Once you have it in a JS var you can do what you want with it
it is not possible to retrieve values using php?
You would have to use javascript to capture the token from the URL, and then pass that token to your server.
Generally speaking implicit auth is for use when you don’t have a server, and with a server you would generally use “regular” oAuth, https://dev.twitch.tv/docs/authentication/getting-tokens-oauth#oauth-authorization-code-flow which gives you a token thats (usually) valid for four hours, but it’s gives you a refresh token that you can use to generate a new token.
Which is the method you probably started with but you were trying to store the refresh token in session which doesn’t make sense, since sessions are not reliable to store long running/reusable data such as a refresh token
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.