shortcode-oauth
This repository contains several clients for the Mixer shortcode OAuth flow. This is an alternative OAuth-based flow for applications to avoid the need for opening or embedding browsers, or requiring keyboard input on the client device.
Several implementations are available:
@mixer/shortcode-authin Node.js-
Microsoft.Mixer.ShortcodeOAuthin C# (.NET standard) mixer_shortcodein Python
Quickstart
- Register an OAuth application on the Mixer Lab. If you're developing an integration which will run on users' computers, you should not request a client secret.
- Find the client for your language above.
- Follow the instructions/example code on its readme to get going!
Specification
Shortcode OAuth was first described in the Interactive protocol specification. The relevant sections are below.
β
βΌ
βββββββββββββββββββ βββββββββββββββββββββββββββββββ
β Have existing β β Call POST /oauth/shortcode β
β access_token? βββββnoβββββββΆβ with desired permissions + βββββββ
βββββββββββββββββββ β client details β β
β βββββββββββββββββββββββββββββββ βΌ
yes β² ββββββββββββββββββββββββββββββββββ
β β β Direct user to beam.pro/go to β
β β β enter six-digit `code` β
β β ββββββββββββββββββββββββββββββββββ
βΌ 404 status β βββββββββ
βββββββββββββββββββ (code expired) βΌ β 204 status
β Is it close to β β ββββββββββββββββββββββββββββΌβββββ (not entered
β expiring? βββββββyesβββββ β β Poll GET β β yet)
βββββββββββββββββββ β ββββββ/oauth/shortcode/check/{handle}ββββ
β βΌ βββββββββββββββββββββββββββββββ¬ββ
β βββββββββββββββββββββββ β β
no βUse the refresh_tokenβ 200 status 403 status
β β to get new tokens β β (denied access)
βΌ βββββββββββββββββββββββ βΌ β
βββββββββββββββββββ β ββββββββββββββββββββββββββββ βΌ
β Use the β β βExchange for access_token,β βββββββββββββββ
β access_token to βββββββββββββββ΄βββββββββββββ refresh_token β β Show Error β
β handshake β ββββββββββββββββββββββββββββ βββββββββββββββ
βββββββββββββββββββ
In order to build an OAuth shortcode-based application without using one of these ready-made clients, you should follow these steps:
-
Register an OAuth application on the Mixer Lab. If you're developing an integration which will run on users' computers, you should not request a client secret.
-
Call
POST /oauth/shortcodewith yourclient_id,client_secret(if any) and space-delimitedscopeyou want in the request body. This will typically look something like this::POST /api/v1/oauth/shortcode HTTP/1.1 Accept: application/json, */* Host: mixer.com { "client_id": "fooclient", "scope": "interactive:robot:self" } HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 { "code": "8WPVHT", "expires_in": 120, "handle": "Lc7eBcB78d5gZmqHOajMH3QnmFPrxLGr" }
-
Display the short six-digit
codeto the user and prompt them to enter it on mixer.com/go. You can view a user's perspective of this process here. -
Continuously poll
GET /oauth/shortcode/check/{handle}. It will give you one of a few statuses back:-
204 No Contentindicates we're still waiting on the user to enter the code. -
403 Forbiddenindicates the user denied your requested permissions. -
404 Not Foundindicates that the handle is invalid or expired. -
200 OKis returned once the user has granted your application access. The response body will contain ancode.
A poll which results in a 200 response might look something like this::
GET /api/v1/oauth/shortcode/check/Lc7eBcB78d5gZ... HTTP/1.1 Accept: application/json, */* Host: mixer.com HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 { "code": "r2BTMKCZJJyIuoNE" }
-
-
The client app should use this code as an OAuth Authorization Code which it can exchange for access and refresh tokens. The
redirect_uriin the exchange request is not required and will be ignored, but you must present a validclient_id. A request to exchange the tokens might look something like this::POST /api/v1/oauth/token HTTP/1.1 Accept: application/json, */* Content-Type: application/json Host: mixer.com { "client_id": "fooclient", "code": "r2BTMKCZJJyIuoNE", "grant_type": "authorization_code" } HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 { "access_token": "pHktaORPcQGejnz48rJQdDWh1AJpevs \ TWnvKrZW5z2HP3lgEqhp9gzje1YfblIO2", "expires_in": 21599, "refresh_token": "HzCZSviiueoWsfcT6kh6d4n7SHUnfK \ cFTRIOyHkgykjaCSIT5ctTqUKNTXfWsxfg", "token_type": "Bearer" }
-
The response will include an
access_token, which you should send in the Authorization header when you connect to Interactive, prefixed withBearerper standard OAuth behavior. In the above example, the client would then connect to Interactive and present the headerAuthorization: Bearer pHktaORPcQGejnz48rJQdDWh1AJpevsTWnvKrZW5z2...
