Thanks for sharing!
Kinda what I was expecting, haha!
Seems like for the purely desktop app (no remote server deployment available), no-matter-what something secret gets stored – be it code grant with client secret & refresh token, or implicit with a long-lived token – something will be stored on the broadcaster’s PC.
It kinda makes sense a lot of folks would drift towards implicit because only one “secret” needs to be stored (the long-lived token), and (in the case of Twitch / against oAuth recommendations) is long-lasting.
Attack-vector-wise, compromising a secret or a long-lived token could have the same consequences, though at that point an attacker would have access to the broadcaster’s PC and could do lots of other damage. So unless either can be stored securely (like the remote server account you mentioned), I guess one would be indifferent to either option and go for the ‘simpler’ one (though in my case, it’s easier to use the code grant since Spring Security doesn’t support the implicit flow).
Only hesitation I have with implicit is that it’s not recommended wider-speaking anymore so I expect Twitch to eventually kill it at some point?