The scope parameter appears to work inside of the Implicit Grant Flow method, but you will then need to use Javascript to redirect the user to the proper location since the variable appears in the fragmented URL, which isn’t the best method but may be one of my only solutions unless I switch to the Authorization Code Flow, which I probably will do.
Thanks for the quick reply. I really appreciate it.
Updated Response
If anyone else is having an “issue” similar to mine and have the need to have multiple URL’s with API Access, here is the solution I ended up using in the end. It only took me about an hour to update my old Token Implicit Grant Flow method to the Authorization Code Flow method.
The first thing is to create the authorization file on your server. I didn’t have the need to store tokens since I don’t need to access user information when they are offline. The file should simply perform the POST request to https://api.twitch.tv/kraken/oauth2/token with the proper POST data. More information on Twitch’s GitHub.
I also implemented a unique key for each request that I pass as state with the initial authorization request. I verify that the returned state value is valid, this helps prevent CSRF. If the value isn’t valid, I don’t make the above authorization request and show a warning to the user.
Along with the CSRF state value, I also pass a redirect URL in the state value. Once the user is successfully authorized I will redirect them. I did some parsing to the redirect URI that I pass to make sure it stays on my website and doesn’t contain any Cross Site Scripting code. If you want, you can redirect the user and include the token in the fragmented URL so you don’t have to change any existing javascript you have on your site. When redirecting based on URL parameters, make sure you don’t leave your website or include a white-list of allowed URL’s.
Hopefully this makes some sense and will help at least one person.