Understanding oAuth implicit flow

Question

I'm working with the New Twitch API and I wish to get data from and end point using javascript.

Endpoint https://dev.twitch.tv/docs/api/reference/#get-streams

For the means of testing, I'm hitting the endpoint with Postman and it's working.

According to the docs, I need to provide a client-id which I can get from my developer dashboard and I add this as a header in Postman.

What I'm confused about is that it seems for as long as you have someones client-id (which is going to be exposed when using JS) anyone can hit this endpoint? What stops someone taking my client-id or me taking someone elses and using it for their/my own purposes and what are the risks with that?

Answer 1

In general, it's the Redirection URL that's the lynchpin.

The flow works like this:

1. You register your app at Twitch. As part of this step, you specify your redirection URL (https://dev.twitch.tv/docs/authentication/#registration)
2. A user visits a web page that makes use of the API
3. The user needs to authenticate. The web page hands off to the Twitch OAUTH authentication page, passing along its Client ID
4. The user authenticates with Twitch
5. Twitch redirects the user to the Redirection URL set up in step #1, along with a Bearer Token.

As you can see in step 5, the token is only sent back to your Redirection URL. If another website tried to get a user authenticated using your Client ID they would never receive back the token.

The area I think you could run into trouble is rate limiting. Twitch limits you to 30 queries per minute with a Client ID and no Bearer Token or 120 queries per minute with both. If a malicious user is using your Client ID then it would eat up your rate limit. https://dev.twitch.tv/docs/api/guide/