Yes, I do understand that the user signs in through Twitch. If you do the first time setup for the broadcaster on the redirect page, anyone with the link is able to perform a first time setup for their account even if they don’t have the extension installed.
What I am doing by sending the tokens back to the config page, then POSTing them to the EBS again is to make sure the authentication was called from the config page.
For exempel, my redirect uri is a php script that gets the access token for the code specified from the authentication, the script then gets the user information for this access token, stores the user in a ”broadcasters” table together with the tokens. Now, if this user is not even using the extension, he will be in the broadcaster table without even using the extension on his channel page. I mean, there’s no harm having the user there, but it’s unneccesary to store more tokens than needed.