OAuth, Redirect URI and other weird creatures

[Ñuño_Martínez]

Actually not sure if this is the best sub-forum.  Move it if you think so.

Trying to summarize.

I started to do streaming through Twitch.tv and I realized there are not desktop applications for Linux.  I'm using ffmpeg from a terminal, but this doesn't allow too much control and you have to have a web-browser open to your channel to control some stuff.

So I was wondering to create a simple (ha!) application to do some management over the streaming, even calling ffmpeg instead of using the terminal, but as I've read public Twitch.tv API uses OAuth and forces to have a "Redirect URI".  About OAuth I have no idea how does it work or if it's possible to do such thing using Free Pascal (Indy? Synapse? ...).  About the URI, here they suggest to use a local webserver embedded in the application (I know it is possible to create a local webserver but I don't see why it is necessary).

Of course I'll ask in Twitch developers forum but I'm pretty sure they don't know what Pascal is so I first ask here for help and opinion, specially because I don't actually know what to ask them.  I did very few network programming with Free Pascal so I'm a bit lost.

[rvk]

About the URI, here they suggest to use a local webserver embedded in the application (I know it is possible to create a local webserver but I don't see why it is necessary).

A local webserver is necessary because the oauth opens up a browser to their authentication page. After the user accepts, the user gets redirected to your own url with the access token in the url itself.

Without that, you can't get to the access token because you usually don't have access to the browser data.

Your  "Redirect URI" can look like http://localhost:1500 and you'll only need to listen on port 1500 for the incoming connection. You can present a simple page with "my app now has access" or something.

[Thaddy]

There's a good OAuth2 example in trunk (probably also 3.2.0)

[Leledumbo]

Additionally, current OAuth version is a bit liberal, in the sense that the flow may be customized a bit. Most won't directly give you the access token in that redirect URI, but an authorization code that you must exchange with an actual access token. Instagram is a crazier example as even after that you're given a short term access token only, which you must exchange again with long term one if you're planning to use it for a longer time. Even so, eventually access token will and should expire for security. So you will have to regularly refresh the access token to get a new one. A sane OAuth implementation should provide this endpoint, where you should give a refresh token to get a new access token. Typically both are returned when you exchange the authorization code.

You can play around here to get a better understanding of how the protocol in each flows work.

Here's a little redirect server example (not directly working as you will need to substitute the placeholder values with something real):

Code: Pascal  [Select][+][-]

1. program fpoauthclientexample;
2.  
3. {$mode objfpc}{$H+}
4.  
5. uses
6.   SysUtils,
7.   httpdefs,
8.   httproute,
9.   fpjson,
10.   jsonparser,
11.   fphttpclient,
12.   fpHTTPApp;
13.  
14. procedure ExchangeAuthCodeWithAccessToken(ARequest: TRequest; AResponse: TResponse);
15. var
16.   LCode,LOAuthRes,LAccessToken: String;
17.   LJSONRes: TJSONObject;
18.   LAccessTokenNode: TJSONData;
19. begin
20.   LCode := ARequest.QueryFields.Values['code'];
21.   if LCode = '' then begin
22.     AResponse.Code := 400;
23.     AResponse.ContentType := 'application/json';
24.     AResponse.Content := '{"message":"code parameter is not provided or empty"}';
25.   end else begin
26.     try
27.       LOAuthRes := TFPHTTPClient.SimpleFormPost('http://some.where/oauth/access_token','client_id=xxx&client_secret=yyy&grant_type=authorization_code=' + LCode);
28.       LJSONRes := TJSONObject(GetJSON(LOAuthRes));
29.       if Assigned(LJSONRes) then begin
30.         LAccessTokenNode := LJSONRes.FindPath('access_token');
31.         LAccessToken := LAccessTokenNode.AsString;
32.         // now you have the access token, store it somewhere secure
33.       end;
34.     except
35.       on e: Exception do begin
36.         AResponse.Code := 500;
37.         AResponse.ContentType := 'application/json';
38.         AResponse.Content := '{"message":"' + e.Message + '"}';
39.       end;
40.     end;
41.   end;
42. end;
43.  
44. begin
45.   HTTPRouter.RegisterRoute('/exchange',@ExchangeAuthCodeWithAccessToken);
46.   Application.Initialize;
47.   Application.Port := 9999;
48.   Application.Run;
49. end.
50.  

[Ñuño_Martínez]

Thanks for the comments and tips.  I'll follow the links and read the examples, and ask more question if needed.