Support for native OAuth apps, and RFC 8252?

naerbnic · June 25, 2019, 11:15pm

I’m looking into developing a personal Twitch streambot, where I can set up a desktop app that can call Twitch API calls to automate a number of things during streaming. In order to do this, I need to be able to get an OAuth2 token to do so. It appears, however, that Twitch does not support the recommended way of handling native OAuth apps.

RFC 8252 (https://tools.ietf.org/html/rfc8252) says that an authentication endpoint should accept http://127.0.0.1:{custom port}/{path} as a redirect_uri. Specifically, if I add the following as a redirect URI:

http://127.0.0.1/my/callback/path

It should accept http://127.0.0.1:61702/my/callback/path as a valid redirect, and proceed through the auth code flow.

Is there any effort to implement the recommendations of RFC 8252?

BarryCarlyon · June 25, 2019, 11:42pm

Use http://localhost/ instead of 127.0.0.1

naerbnic · June 26, 2019, 12:03am

That RFC actually says that localhost is worse than 127.0.0.1. This is because it’s still a DNS name that can be resolved, and incorrectly configured machines (or maliciously configured machines) can have that mapped to anything. See https://tools.ietf.org/html/rfc8252#section-8.3

BarryCarlyon · June 26, 2019, 10:40am

shrugs

They can’t do much without your Client Secret but I do see your point.

However I did do a check,

Seems you can set it to 127.0.0.1 or at least “works for me”

And works fine for me with a brand new clientID

using 127.0.0.1:3000 in my example

And using yours

system · July 26, 2019, 10:40am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.