Close but not quite.
The API would provide an authorization endpoint that generates a shortcode or code to display to the user.
There would be a second endpoint to verify that the shortcode had been authorized where you could get the access_token and refresh_token.
The way it is now is there’s an endpoint that generates a code. But you still need to run a server either locally or remotely to handle the authorization redirect.
Having an endpoint for generating a shortcode and checking if the shortcode is a bit cleaner. Essentially, I have to make a server page that does the endpoint that I’m looking for…
There’s also some extra work by the extension backend to correlate the auth request with the final authorization.
There’s lots of ways to do it, but I’m using a php page with memcached to pass the browser tokens to the extension backend.
https://github.com/twitchdev/authentication-samples/tree/master/php