We’re excited to announce that we’re officially launching Open Cloud OAuth 2.0 as generally available! This will accelerate the growth of the third-party app ecosystem, while also ensuring safety and civility.
Since our public beta in June, more than 2,300 apps have been created, which clearly indicates OAuth 2.0 is a highly valuable feature for the community. And with the launch of User Inventory API and Groups Read API, we hope to see this trend increase.
Beyond more APIs, we have made the following improvements based on your feedback:
Support CORS for front end only apps; please follow the PKCE flow with enhanced security
When profile scope is required, OpenID responses now includes the user’s avatar thumbnail URL
The user authorization screen groups permissions requests under “Your resources” and “Your experiences” (See the screenshot below.)
To prevent malicious apps from impacting the ecosystem, we have implemented proactive review since releasing our public beta. However, bad actors could disguise their apps to look legitimate in the beginning and change their code later. To protect the community, we have implemented a reactive process. Here’s how it works when a user reports an app in the App Permissions page:
Our system and moderators will monitor the reports and investigate suspicious apps
If an app is determined to have violated our policy, we will take certain actions (warn, ban, etc.) depending on the severity
The app owner will receive emails regarding the consequences with instructions for appeal if needed
In addition to user reports, we will periodically re-check the approved apps to ensure they continue following our policy. We believe it is critical to leverage all approaches to ensure that the app ecosystem can grow and thrive in the long term.
No matter whether you want to build an app for others or write scripts for yourself, we hope OAuth 2.0 and API keys set a solid foundation for you to take advantage of Open Cloud APIs! Please let us know if you have any feedback. To get started, go to the Creator Dashboard to create your first app.
WOOOOOO YEAH BABY THAT’S WHAT I’VE BEEN WAITING FOR
however:
datastore access when?
i’m confused on the criteria on some of these scopes (read groups is ‘Moderate’, yet this is public data? write secrets is High, but read secrets isn’t?)
This is not the case, you can read all group permissions you have access to via the api, and I can only assume that will be much more powerful in the future with possibly even supporting audit log read access?
@dragonknightflies This update appears to have broken OAuth in cases where the redirect URI is localhost, Any app that has it’s redirect URI set to localhost is giving the following error and throws a CORS HeaderDisallowedByPreflightResponse error for the Baggage header on https://apis.roblox.com/oauth/v1/permission-request (I think sentry’s leaking headers where redirect_uri=localhost in production?).
We’ve tried the same app with different redirect URIs (one being production and the other being localhost) and it worked on prod, the only difference in /authorize was redirect_uri (and of course the PKCE codes).
For what specifically? There are already open source libraries you can use to implement OAuth2 and there are some framework specific packages for things like Express, NextAuth, and PassportJS already available on Github.
are the supported scopes and their uses documented anywhere? can’t seem to find it, the only way was using /.well-known/openid-configuration which - according to the docs - contains private/unsupported scopes
if not, I do hope there’s better documentation of that
For example, a few months ago I was working with clerk.dev authentication, and since Roblox oauth isn’t officially implemented the experience trying to use it was pretty terrible. I did end up making my own solution though
For another example, months ago I was working with some outdated Roblox oauth passport package. I am well aware there’s the possibility of custom oauth implementation. That’s what I ultimately had to do. I’d love to debate you further on this, but I won’t.
I’m not debating. I’m asking because I use Roblox OAuth personally and I’m interested in your use case to potentially publish a package or example repository myself.
