Hate to resurrect a dead thread here, but I feel like it pertains to a situation I’m facing. Pop-ups cannot call back to their opener in this case, since an iframe can’t be accessed by a child pop-up window (violates security issues and most browsers prevent that). Without redirecting back to a Twitch URL, how do you do this? Ideal flow:
- User clicks OAuth and OAuth opens in a pop-up
- Successful authentication redirects to EBS (/auth/callback or whatever)
- The EBS page that renders closes itself and gets the auth data back to the main window that opened it
Alternative to #3: If #3 can’t happen like that, then how do you go about saving the auth credentials in the EBS and tying it to the proper user on the back-end so that the client-side can retrieve it later, without also having the user ID (either opaque ID or their actual Twitch ID) to associate with the credentials that are sent as parameters in the OAuth callback URL (since the redirect URI can’t have additional parameters that we could supply–because most OAuth schemes don’t allow parameters in the redirect URI or wildcard URLs, it has to match what’s in their whitelist exactly)??