Hello, I’m implementing “Login with Twitch” and there’s an unsolved question for me, How do I protect the user when he is logging in to Twitch, while he’s streaming?
As you guys know, After a successful login, Twitch will redirect the user with the code inside query parameters, and if anything goes wrong (for example the receiver’s server is down) the url will be shown to the user ( and its viewers ), my question is, Why Twitch does not put this sensitive data inside the body of the redirect? (like how payment merchants work)
If there’s any workaround for this, I would love to know!
If the resource owner grants the access request, the authorization server issues an authorization code and delivers it to the client by adding the following parameters to the query component of the redirection URI using the “application/x-www-form-urlencoded” format, per Appendix B: