[Public Beta] Building Your Applications with OAuth 2.0

Can a scope for group roles be possibly introduced? It would make the creation of ranking bots so much easier.

1 Like

LETS GO!!!

This has just opened a massive door of possibilities just yearning to be released. This excites me just as much if not more than when HttpService released OVER 5 YEARS AGO! Proper authentication of a user is exceptionally important, and this functionality has just released a massive barrier on the ways we’ve been doing this.

2 Likes

@dragonknightflies What happens if a legitimate app is compromised & it does malicious things with its auth’d users?

E.g. if there’s an “asset manager” oauth app that gets comp’d, and it starts uploading inappropriate images for all of its registered users… how will Roblox handle situations like that? Obviously terminating the affected users is not an acceptable solution. Are there contingencies for these sorts of situations?

ICYMI:

The other documentation and the app management page clearly denote which scopes you can select from.

1 Like

I agree, if you’ve been on the platform for years you are unlikely to be a bad actor.

In the general case though, this is a very strong measure we can apply to ensure high accountability on bad actors. It definitely helps deter abuse.

I’ll forward the feedback, but unfortunately I can’t promise a solution soon as we would need to define what a “trusted user” would look like outside of ID verification. (it’s very difficult to get a formula that covers everyone that it should apply to and isn’t easy to game or abuse)

4 Likes

This is a general risk when delegating permissions to apps. The same risk applies when you currently delegate your credentials to popular Roblox browser extensions (the risk is actually even worse here).

If you don’t think you can take this risk and/or the app is not highly trusted, I recommend not giving said app permissions to do things on your account.

To answer your question, abusive apps will be punished, but you are delegating permissions to that app, so I cannot guarantee that you would not be punished for the app’s behavior. On our end we cannot determine if you yourself uploaded something inappropriately through an app, or if the app did that for you, as the app is third-party software.

1 Like

Yes, see the documentation. State parameter is supported and funneled all the way through in accordance with RFC-6749.

1 Like

Can we hope to see eventually support for making an account handle users promotions and demotions, or even make it easier to run a business and have an account auto-join groups? It’s tedious to join every group by hand when you have a lot of customers looking for group management services.

5 Likes

Actually, this is exactly what OAuth2 was designed to prevent. It allows you to control other services can do. You can revoke access from those services at any time, remove permissions, etc. You allow the other services access to only specific things that that service needs, and you can see and control what things you’re allowing.

In this case, you can’t give an application permission to take items to begin with, but, even if that were an option, you’d have to intentionally give that website access to your items, which would be a bit silly if you don’t trust the service.

OAuth2 is used by Google, Microsoft, Discord, GitHub, and pretty much anything else that allows you to “sign in with XYZ” or allows you to give/revoke permissions to apps outside that service, without ever actually logging them in to your account in full.

The way OAuth2 works is that you tell Roblox (or Google, or Microsoft, etc, whatever you’re giving access for) what permissions to give the other service, and then Roblox will only let that service do exactly what you told Roblox to let them do. Once you’ve done that, Roblox will create an OAuth2 “token” to give to the other website, and then the website can use that token to ask Roblox to do certain things, or get certain information. Roblox will not do anything you didn’t allow for that token, and that token is tied to that service.

3 Likes

So is this feature available to all Roblox users or a certain group/requirement-met section of users

1 Like

It’s available to everyone who has been ID verified

4 Likes

Great update, BUT.

I understand this is very new to Roblox and whatnot but having the App Review & Publishing every time you make a change seems unnecessary for an app that only uses the openid and profile scopes, for the other more damaging scopes I can understand.

I also made the mistake of publishing an update to a very busy website that allows users to link their Roblox account with the website and hit the cap in the first 10 minutes of the announcement. Hopefully, my app is reviewed fast lol

Also can we please have the ability to see how many users have connected to the app and maybe an endpoint we can set up for users who want to easily opt out of the service for example,

I have a setup if a user unlinks their Roblox account from the website, would be nice to send a request to Roblox letting you guys know this user has opt-out would make this a little more streamlined for the end user so they don’t have to go to the settings page and click remove ( just an added option ).

Here it is in action:

2 Likes

Finally I was waiting for this update to make some sort of a verification system with my discord bot.

But this… Another update that they put begin ID verification? :neutral_face:
I get it, “bad actors”, even though myself and many others, won’t fall into that category. They could’ve for example make a requirement: veteran + 2fa (auth key) requirement, or devforum verified or something, even this ID verification won’t 100% keep away the bad actors, they may be a bit more “trusted” as they verified themselves but not guaranted that the person won’t abuse the system and such.

4 Likes

Lol, Roblox already has all your data if you have a dev-ex profile. Could just base it on that …

This seems like what I wanted for months but ngl the Documentation is kinda bad, I wish somebody from the community could make a better one : /

1 Like

This update will make verification with other services very easy with ROBLOX. I think this is a really great update for 3rd party services such as Bloxlink or a Networth Calculator. Really glad to see this!

1 Like

thank you so much! oauth is great.

1 Like

why would you authenticate to proxmox with roblox???

check their robux transactions

I’ll forward this feedback.

Yeah good point that it’s confusing. We are going to work on polishing up the way you test apps before publishing, this is just an initial stage for the public beta. See this part of the announcement text:

We’ll continue making further optimizations such as allowing you to add collaborators who can test the app, rather than the arbitrary 100-user limit.

This is a planned feature.

This will likely not be implemented because it has some abuse vectors if the app can make itself disappear from the user’s account settings. E.g. an app could start doing something malicious after some time and afterwards hide itself from the user’s account settings and this would be confusing to the user as to what app may have performed the malicious action.

If you persist the access/refresh token set, you can however use /v1/token/revoke to revoke that particular refresh token. So revoking is there on a per-session basis, but for the sake of clarity we will never remove an item from the user’s account settings unless the user revoked the app themselves.

2 Likes