Twitch Authentication for Unity
A Unity Asset by Firesplash Entertainment
Configuring Server Assisted Flow

The server assisted flow is basically an Authorization Code Flow split into two parts - A game/client side authorization and a server side token request. Using this method, your Client Secret can be kept safe and secret.

Preparing the server

You need a server or some webspace somewhere on the internet to host this file. The webspace needs to be PHP-Enabled and to prive the curl extension for PHP. This is quite industry standard so it should not be any issue to find a suitable one.

Advertisement: If you got no webspace at all, we can recommend NetCup - One of our ISP partners operating globally. You can use the coupon code 36nc16447952840 to get a one-off 5€ discount. Their smallest package (ref link) is ideal for hosting this script (and has still enough space for a full corporate website and to host the download for your game)

You should make sure, that your webspace supports SSL encryption (HTTPS). This is a best practice and required if using a parole (additional authentication between game and script).

Configuration of the script

You need to find the file TwitchAuthServer.php in your downloaded asset folder, copy it somewhere outside the unity project and edit it using notepad++ or a similar editor (VSCode, Visual Studio, ...).

A single instance of this script can host multiple games. You do not need to host multiple files only to allow multiple games to log in using different client credentials. You should however always only use a client credential for ONE single game.

See also
https://dev.twitch.tv/docs/authentication/register-app

For this documentation we assume, you already created your application on twitch and inserted the TwitchAuthenticationHelper component into a GameObject.

The PHP script is kept very simple and you can clearly see the configuration block. The default block can be copied or edited as you wish. Make sure to always end the block with a comma to prevent syntax errors.

See this image as a guide on what to enter where:

Left is the inspector, top right is twitch and bottom right is the script

Orange means the value comes from the inspector, purple are values delivered by twitch and blue means values of your choice / depending on your setup. The following configuration has to be done (textual version of the image above):

  1. Copy the Unique ID from the inspector into the configuration ID of the PHP script (top left value)
  2. Type the callback URL into the twitch console as written down in the help box of the inspector. Remember: NO Trailing slash!
  3. Copy the Client-ID from twitch into the inspector and into the client field in the PHP script
  4. Click the "New Secret" button in the developer console, if not already done
  5. Copy the generated secret into the field of the PHP script
  6. Put the full URL where the PHP-Script can be reached into the inspector
  7. Optional: For enhanced security, set a parole in the script and the inspector. This requires using HTTPS and. The parole should only contian alphanumeric signs and is case sensitive.

Configuration of TwitchAuthenticationHelper

As seen in the picture above, some values also have to be entered back into the inspector. Most importantly the URL to the PHP-Script and the ClientID. You don't neet to set a parole but if you set it on the script side, it must also be set on the client side.

Parole Setup

If you want to make use of the additional security of a parole key, you need to have the same key on both ends (PHP-Script and game client). We recommend rolling the key over with every game update you make (the more ofter you do, the harder it will be to close up for potential bad acting people). As you might not want to immediately lock out older versions, you can keep multiple paroles valid at once by specifying an array of paroles like ["parole1", "P4R0L3Tw0"] - Just don't forget to remove the old parole at a given point in time.

Parole caused errors

If the parole does not match bewteen client and server, the authentication will fail with error "unknown" (this is intended as its not directly an authentication error but a configuration issue) but the errorDescription will contian information abut it, telling Game not authorized - Check for updates, if you are a player.

Error handling

The script works transparent. Theonly thing is, if the script itdsself blocks a request, it will do so using HTTP status code 400 causing an "unknown" error code in the AuthenticationResult but containing valuable text in errorDescription. In any other case the script will return the same code and body as twitch did so it acts like a transparent proxy. You will however never directly communicate with the script because the TwitchAuthenticationHelper does that for you.