Step 1 of oAuth is to redirect the user to Twitch.
Not to fetch the URL
Also: ClientID’s are public. So you censored it for no reason.
oAuth steps:
- User comes to your website
- User clicks link to login with Twitch
- User is taken to Twitch
- User accepts (or declines) the link between ClientID and their account
- If Accept they come back to your website with a
?code - You exchange the
?codefor an access and refresh token
You are getting an invaldi CSRF token as the security system is preventing you trying to do this wrong.
Here is an implict auth (not code auth which you want to use) example to demonstate the flow
https://barrycarlyon.github.io/twitch_misc/authentication/implicit_auth/