I’m not normally one to bump my own topics, but I think the topic of being able to request a pre-existing access code (or invalidating previous ones) instead of having to hoard session data to prevent multiple access tokens from existing is an important one.
Having multiple unnecessary access tokens existing for the same user/device on the same app, with all tokens able to be used and not being able to be invalidated, is a security issue. As far as I can tell, the only way to prevent this from occurring without implementing a local account system (which can defeat the point if you’re using Twitch as an identity provider as well) is to extend the lifetime of the session to absurd levels - and of course even that doesn’t help if the user clears their cookies.
If there isn’t a means to request a pre-existing token or to invalidate a previous one, I’d like to request that this be considered. Thank you!
[edit: Of course, if one could request an expiration to be set on access tokens you receive, that would also work. This could be done on the page that allows you to regenerate your client secret, for example; that way you don’t need to worry about adding to the OAuth2 protocol.]