if the “Secret” in this case is the users own token.
Then it is perfeclty fine to store the users own token, in the desktop app, since it’s the users token.
For implicit auth you wouldn’t be storing anything “secret” clientSide.
And like you say
If they “won” the users PC, they can jsut grab the first party token, that is being used to talk to the Twitch website (via chrome) rather than looking for some misc program like yours. (Easier to go after a known attack vector/likely installed program than looking for misc apps like what we make)
Yeah I read that somewhere else recently. I don’t think there are plans to 'nix it.
And if they do, they are probably gonna replace it with PKCE like the linked uservoice you linked already. or (hopefully) follow whatever the RFC recommends.