Twitch should use POST when redirecting back from login

Hello, I’m implementing “Login with Twitch” and there’s an unsolved question for me, How do I protect the user when he is logging in to Twitch, while he’s streaming?

As you guys know, After a successful login, Twitch will redirect the user with the code inside query parameters, and if anything goes wrong (for example the receiver’s server is down) the url will be shown to the user ( and its viewers ), my question is, Why Twitch does not put this sensitive data inside the body of the redirect? (like how payment merchants work)

If there’s any workaround for this, I would love to know!

The ?code is useless without the client secret.

The ?code is also one use, so “normal” oAuth flows will use it immeditely.
And thus the ?code will immeditely no longer be valid.

That is correct, but why Twitch would not rather to put it inside the body? that just adds another layer of security

section 4.1.2

It’s be be transmitted as

“application/x-www-form-urlencoded”

Which means it’s a query parameter, (regardless of it being HTTP GET or POST)

Snippet from the Specification

4.1.2. Authorization Response

If the resource owner grants the access request, the authorization server issues an authorization code and delivers it to the client by adding the following parameters to the query component of the redirection URI using the “application/x-www-form-urlencoded” format, per Appendix B:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.