I’m working on integrating Twitch authentication into my iOS app using Swift. I want to use the OAuth implicit grant flow for this implementation.
My plan is to utilize Apple’s ASWebAuthenticationSession to handle the web-based login process. This should allow users to authenticate through Twitch’s login page directly within my app.
The part I’m struggling with is capturing the access token after successful authentication. According to the documentation, the token gets sent to the registered redirect URI. What should I use as the redirect URL in this scenario? Would something like a custom URL scheme work better than localhost?
Has anyone successfully implemented this flow before? I’d appreciate any guidance on the proper way to set up the redirect handling.
Custom URL schemes are definitely the way to go. I implemented this six months ago and hit some ASWebAuthenticationSession quirks that’ll save you time. Your redirect URL in the Twitch developer console needs to match exactly what you register in your app - including the path. I used myapp://twitch-callback. Session cleanup caught me off guard. ASWebAuthenticationSession leaves hanging sessions when users cancel mid-flow, so handle cancellation properly in your completion block. iOS 13+ changed presentation context behavior, so you might need to set presentationContextProvider depending on your deployment target. Token extraction is straightforward once the redirect works, but Twitch tokens expire so build refresh logic from the start.
I hit this exact problem building my streaming app last year. ASWebAuthenticationSession handles the redirect capture automatically - you don’t need to manually intercept URLs. Skip localhost for the redirect URL. Use a custom scheme like yourappname://auth/twitch instead. It’s way more reliable across iOS versions. Register the custom scheme in your Info.plist under URL Types. When you set up ASWebAuthenticationSession, pass your custom scheme as the callback URL scheme parameter. The session grabs any redirect to that scheme and returns the full URL (with access token) in the completion handler. Parse the URL components to pull out the token from the fragment. Watch out - Twitch puts the token in the URL fragment, not as a query parameter. Parse url.fragment instead of url.query when extracting the access token.