Desktop app talks to me/my server,
Desktop app will use another method to secure connections from it and my server.
My server hold all the tokens and refresh tokens
Or
Use implicit auth, when the token dies you’ll ask the streamer to refresh and that’ll be fully transparent, with force verify off, as long as the streamer is still logged in to Twitch.
So app invokes chrome to open the oAuth loop
That auto completes since already granted and no force verify
Then the key is auto passed back to your app via either a local server in the app (that then auto closes the tab) or via someproctol://words (which is harder to auto close the tab)
This is mostly transparent.
I usually use the former, devise a way for the desktop app to secure connect to my server.
Then link that “account” with a Twitch Account in my server.
(My server also handles sending app updates, so I have a server anyway, I know some people use GitHub for releases so they don’t already have a server)
Generally I feel most people use implicit auth.
For the 60 days token
Then if there is less than, say, a week left on the token you can show an alert to the streamer that it’s time to reauth and they can do that pre/post a stream since the app shows an alert telling them it’s time to refresh.
'Course not much you can do when a token (and refresh token if you have one) are both killed due to Twitch password reset or another reason disconnecting your App and the User from each other
As to PKCE, to use an example, EDMC (a desktop app for Elite Dangerous), quite often the refresh token is dead (irrc FDEV only has a short expire on it’s refresh and Twitch doesn’t), so at app start, it prompts the oAuth flow in the web browser, which is disruptive anyway. Definelty would be nice though!
TLDR: My app connects to my server via custom accounts system
My server links that account with a Twitch account
My server manages token management, caching, eventsub relay, so on and so forth.