For people who work with desktop applications, how do they handle oauth2 flows for third party services that need a redirect url?

I'd like to authenticate users through Discord's oauth2 login. But I'm working on a desktop app, with no webservice behind it.

I've read about the redirect scheme that looks like,

urn:ietf:wg:oauth:2.0:oob

But discord says it's a non matching redirect url after logging in through oauth2.

For people who work with desktop applications, how do they handle oauth2 flows for third party services that need a redirect url?

I'd like to authenticate users through Discord's oauth2 login. But I'm working on a desktop app, with no webservice behind it.

I've read about the redirect scheme that looks like,

urn:ietf:wg:oauth:2.0:oob

But discord says it's a non matching redirect url after logging in through oauth2.

• javascript
• oauth
• electron
• oauth-2.0

• I think that you need to develop a server-side application for oauth2 login. Actually, Oauth2 made for internet-based applications which used a specified URL for accessing. Desktop application does not work on that way so you can not integrate Oauth2. – Linh Commented Jun 1, 2016 at 7:35

1 Answer 1

If you use a desktop application you have a couple of choices:

1. You can start a webserver locally and use localhost as redirectUri. The downside is that you will usually need to also supply the port number in the list of allowed redirect Uris and you won't necessrily know if a certain port is available on the client.
2. The urn:ietf:wg:oauth:2.0:oob instructs the server not redirect the user at all but output the code in the browser windows title. If you have the appropriate permission to read other windows title then you can autodetect changes there. Also the code is usually displayed to the user so that as a fallback he can copy&paste the code into your application. However your service may not support this.
3. Setup a webservice that forwards the token for you. Basically you setup a webservice against which your application authenticates and that webservice returns an URL to the authentication service including an appropriate state to you to which you send the user. Then the authentication service will send your user back to your webservice which again reports the code to your application e.g. by means of long polling, web sockets, or a real TCP connection which is kept open during the whole process. Note that the webservice will need careful design so that the service is not abused by third-parties. Since you cannot technically authenticate your desktop application against the webservice, you cannot stop other applications from calling your webservice, but you can present some information to the user on the consent screen that helps users identify whether the request was legitimate or not.