The issue lies with clientside non-web applications. The authentication process is quite disrupting for the user because they need to switch to a browser for it. Necessary and acceptable as long as it doesn’t have to be done too often.
However using a refresh token is no option for a clientside app, because it requires a client secret in the requests and there is no way to store a client secret securely in a clientside app. The guide itself says “Client secrets are equivalent to a password for your application and must be kept confidential. Never expose it to users, even in an obscured form.”, so e.g. storing it in compiled code would not be acceptable, since that is merely obsured (there would always be ways to retrieve it, since the clientside application itself needs to be able to read it).
Maybe I’m missing something, but I’m really not sure how Twitch expects clientside non-web apps to handle this.
Edit: One way would probably be to use Authorization Code Flow through my own server, but I fail to see how having to handle user access tokens on my own server (even if I would never have to permanently store them) would add any security. Especially since I need the access tokens purely clientside, so there’s really no reason for it to be process anywhere except at Twitch and locally on the user’s computer. I’d rather be able to just specify that a user access token should be kept valid for e.g. a month or even just 2 weeks.