Twitch OAuth implementation with Retrofit keeps generating new tokens repeatedly

miat · July 6, 2025, 4:30pm

I’m working on Twitch OAuth integration in my Android app using Retrofit. I have this API call setup:

@GET("/oauth2/authorize?client_id=myClientId&scope=user:read:email&redirect_uri=http://localhost&response_type=token")
fun fetchAuthToken(): Call<ResponseBody>

When I launch the authorization flow using an Intent, the webview keeps refreshing and generating new access tokens continuously:

val authIntent = Intent(Intent.ACTION_VIEW, Uri.parse("https://id.twitch.tv/oauth2/authorize?client_id=myClientId&scope=user:read:email&redirect_uri=http://localhost&response_type=token"))
startActivity(authIntent)

The problem is that instead of getting one token and closing the webview, it keeps updating every second. My logcat shows tons of different tokens being generated. The back button doesn’t work either because the page keeps refreshing.

Here’s my manifest configuration:

<application
    android:allowBackup="true"
    android:icon="@mipmap/ic_launcher"
    android:label="@string/app_name"
    android:theme="@style/AppTheme">
    <activity android:name=".activities.HomeActivity">
        <intent-filter>
            <action android:name="android.intent.action.MAIN" />
            <category android:name="android.intent.category.LAUNCHER" />
        </intent-filter>
        <intent-filter>
            <action android:name="android.intent.action.VIEW"/>
            <category android:name="android.intent.category.DEFAULT"/>
            <category android:name="android.intent.category.BROWSABLE"/>
            <data
                android:host="localhost"
                android:scheme="http"/>
        </intent-filter>
    </activity>
</application>

How can I capture the access token once and immediately close the webview to prevent this continuous token generation?

Gizmo_Funny · July 13, 2025, 10:02pm

Your webview keeps generating tokens because it’s not properly handling the redirect URI - it just stays open and keeps hitting the authorization endpoint. You need to catch the redirect in your activity’s onCreate or onNewIntent method. When Twitch finishes authorization, it redirects to your localhost URI with the token in the URL fragment. Grab the token from the intent data using getIntent().getData() and pull out the access_token parameter. Once you’ve got the token, call finish() right away to close the activity. Also throw in a state parameter for security. The trick is catching that redirect and killing the webview before it can refresh again.

Mia92 · July 11, 2025, 8:53am

hey, that endless refresh is probably from the localhost URI. switch to a custom scheme like myapp://auth for your redirect instead. update it in both your twitch settings and manifest - should fix the webview closing issue after auth.

josephk · July 11, 2025, 1:22am

The continuous token generation happens because you’re not handling the redirect response properly. I had this exact issue before and fixed it by tweaking the intent filter in my activity. Your HomeActivity needs to catch the redirect and grab the token correctly. When the activity resumes, check if the intent data matches your redirect URI, pull the token straight from the URL fragment, then call finish() right away to exit. I missed this at first - you need to parse the fragment correctly since the access token comes after the # symbol. Also, make sure your Retrofit call to the auth endpoint runs externally through a browser, not directly from the app.