Changes to Open Cloud API usage policies

Updates Announcements
1

Hello Creators,

We are building a platform with safety and privacy at the forefront, and an essential part of that effort is ensuring that player and experience data are used in accordance with our Community Standards and Terms of Use.

Today, we are updating our Open Cloud API Policy to respect the principle of least privilege, which means that only the endpoints necessary to provide the app’s functionality are allowed.

As part of this change, we are introducing app categories and limiting available scopes of OAuth2.0 apps according to their respective category. This may result in apps eventually losing some scopes per their new app category.

What’s Next?

For new OAuth2.0 apps, we will categorize the app and review the configured scopes for compliance with our Open Cloud API Policy before allowing an app to be published (for use beyond 10 test users).

For existing OAuth2.0 apps, we are retroactively categorizing and reviewing the registered scopes. If we find a difference between what your app is categorized as, and your registered scopes, we will reach out to you and request that you update your usage of APIs and your registered scopes.

Remember that you can always request changes to the published version of your app (such as adding new scopes or removing unused scopes) through the app management page here on the Creator Hub.

OAuth2.0 App Categories and Scope

Categories Allowed scopes:
Account Linking Tools
Tools that help facilitate account linking between Roblox and an external app for the purposes of mapping user profiles.
  • openid
  • profile
  • user.user-notification:write
Creation & Productivity Tools
Digital services or products primarily used for the creation & editing of content, and managing experience lifecycle.
  • openid
  • profile
  • group:read
  • group:write
  • legacy-group:manage
  • asset:read
  • asset:write
  • legacy-asset:manage
  • creator-store-product:read
  • creator-store-product:write
  • universe:write
  • legacy-universe:manage
  • legacy-team-collaboration:manage
  • universe.place:write
  • legacy-badge:manage
  • legacy-universe.badge:write
  • legacy-universe.badge:manage-and-spend-robux
  • legacy-game-pass:manage
  • legacy-developer-product:manage
  • universe.user-restriction:read
  • universe.user-restriction:write
  • universe.secret:read
  • universe.secret:write
  • universe-messaging-service:publish
Analytics & Insights Tools
Tools that enable developers to analyze data about their apps, experiences, assets, or users.
  • openid
  • profile
  • user.social
  • user.advanced
  • user.inventory-item:read
  • user.user-notification:write
  • group:read
  • asset:read
  • creator-store-product:read
  • universe.user-restriction:read
User Tools
Tools that enhance the UI, accessibility, or overall experience of using Roblox.
  • openid
  • profile
  • user.social
  • user.advanced
  • user.inventory-item:read
  • user.user-notification:write
  • legacy-universe.following:read
  • legacy-universe.following:write
  • legacy-user:manage
  • group:read
  • group:write
  • legacy-group:manage
  • asset:read
  • asset:write
  • legacy-asset:manage

Your requested scopes are only reviewed once you ask to publish your app (in order to scale beyond 10 users). Until then, the app may continue to access all scopes.

If you have comments or questions, please share them below.

Thank you,
Roblox Open Cloud Team

FAQ

Does this affect anything about Open Cloud API keys?

  • No, this change does not affect your own internal tooling running against your own resources. You will be able to use Open Cloud API Keys. We will not restrict the scopes you can select for your API Keys.

Is there anything I need to do immediately?

  • No, Roblox will review existing apps and their registered scopes against this new policy from now until the end of the year. Roblox will inform you of your app category and whether any of your registered scopes are out-of-bounds: scopes not available to your app category.

    If you receive an email notification, you will need to make updates to your app to remove the usage of scopes that are not allowed.

Will my app be shut down or break?

  • Only if your app has been identified as using out-of-bounds scopes: scopes not available to your app category; and you do not proceed to update your implementation, your app will be unpublished.

What is the principle of least privilege?

  • This is a common term in information security and software engineering to describe the goal and effort to ensure that only necessary data and information is shared with a respective party.
40 Likes
2

This topic was automatically opened after 10 minutes.

3

So, let me see if I understand this correctly:

Instead of empowering developers, allowing them to pick the scopes they need; your are now actively restricting what we can create based on your limited set of API usage expectations?

Other platforms, like Discord for example, allow developers to select all the scopes they need, and file requests with reasoning for access to more sensitive APIs.

75 Likes
4

Any rule against creating multiple apps that cover different “app categories” and just have the user authenticate for each one?

7 Likes
5

I don’t know much about using scopes and such but you use the word “Limiting” along with “Losing some scopes” and it becomes clear you are taking some valuable things away from creators. Probably the only bad update this week. I understand you want privacy, but is taking away tools from developers powering imagination?

I do not use this module but based on some clues in the text I think this is a bad one.

17 Likes
6

You did not just say that with a straight face, did you?

Questionable safety and privacy forefronts aside, I feel like yall do not need to limit open cloud API usage for safety and privacy when yall require ID to use several features that absolutely wouldn’t need such a thing

Trying to limit developer actions for “safety and privacy” when there’s a much better approach for doing so just isn’t right, if yall really care about the principle of least privilege, then implement it for stuff like audio upload limits or EditableMeshes

17 Likes
7

This week has been two steps forward but with this change it’s a big step back. Please reconsider, but then again I am wondering if there is valid reasons behind the scene, like someone exploited something that was removed from the current scopes.

Edit: Maybe even make the removed scopes only allowed by ID-Verifed Game Owners, therefore their liable for any consequences.

14 Likes
8

ROBLOX: Powering Imagination Limitation

20 Likes
9

I’ll keep suggesting you guys should add a way to get the active players across all servers via the API…

7 Likes
10

Hey thanks for the feedback. The policy update should be quite permissive and we’ve set it out to not harm legitimate use cases as much as possible. Almost all of the existing Roblox OAuth2.0 apps will not be affected by the policy update as most apps just use openid and profile scopes, which are permitted by all categories. There is also no impact to API key usage, it’s just for OAuth2.0 apps.

The goal here is to improve safety of user information, make sure apps are not requesting more scopes than needed for their functionality, etc.

Do you have a use case that is now impeded by this policy and if so can you share some more information about it?

6 Likes
11

@Wheatly199 and @Steeq, same question above for you both, would be good to know if you have any use cases that worked under the old policy but not under the new update here. We don’t want to block legitimate use cases as much as possible, so want to make sure we’re not missing anything. What kind of OAuth2.0 apps are you building?

4 Likes
12

I still believe there should be an option for email scope which would be approved e.g. after manual app review. It’s basically one of the basic scopes that all of other platforms utilizing OAuth 2.0 authentication offer.

7 Likes
13

I argue user.inventory-item:read should be an allowed scope for account linking tools, considering that those linking tools are often checking for specific assets owned for various reasons (see just about every verification bot’s binding implementation).

Yes, it is possible to do without for now. However, the endpoints that make this possible are not going to be around forever.

6 Likes
14

More than happy to share!

One of our most important apps is for authentication of our staff, and oftentimes end users who would like to contribute but have no legal affiliation with our business. Under the new categories, it would likely be classified as Account Linking Tools Tools (don’t know why you chose to use tools twice btw).

However, we make extensive use of the group:read API to keep track of user permissions, sync with our own SSO database groups, and warn our CIRT teams of unexpected permission grants across multiple studios and groups.

PS: I’ll point out, as @blanka has done so before me, that there would be a great use for highly restricted, with pre-approval required, access to the email scope. Currently, we already force our users to provide this to us on sign up immediately after the Roblox OAuth. User onboarding is slower because we have an unnecessary email validation step.

10 Likes
15

Few questions / concerns which I wish to bring up here:

Looking at the policy we see a list of prohibited uses; would these impact third-party website extensions which don’t use OpenCloud? I really hope that it wouldn’t because if it does; it would likely damage friending-features within those extensions. Ideally, in my opinion Roblox shouldn’t enforce many restrictions around what could potentially be genuine user-actions; and I think there should be more exemptions made for some of these restrictions (mainly the ones regarding web APIs), when there is express user-intent involved.

Also, as for “profiling users”; to what extent is considered ‘profiling’? I can’t find a solid definition for this and want to ensure I’m not doing it accidentally.

Does this policy apply to the scopes listed as “allowed” for the app on the oauth dashboard or just what I request from users in the authentication URL? If the former is the case, I have a scenario that may be damaged by this. Due to the strict limit on oauth apps, I’ve needed to re-use apps in my own personal testing. If the apps ever do come to the point of publishing, I won’t be able to publish all of them because the different apps will need different scopes and some of the apps won’t be allowed to have the some of the scopes under this policy.

That is potentially also an issue for other policy reasons too. I haven’t had the chance to look into the publishing policies regarding re-using oauth apps yet. However, even if I don’t need to re-use the oauth apps; I may still need more scopes from my admin users, meaning I’d need to allow further scopes or create a seperate app just for service-admins.

In my personal opinion, I think a better solution is to take this on a case-by-case basis. Having set-allowed permissions for different types of oauth use-cases could potentially block some more unique systems, which could be quite unfortunate.

Do not request API keys from other Roblox Users

This is incredibly problematic for any external data-store tools. We unfortunately currently can’t use oauth for datastore queries, meaning a lot of the tools needing this support are forced to request an API key from the end-user.

My assumption is that some of this was already in the/a policy previously but I’d still like to ask about it anyway.

3 Likes
16

I’ll most likely reach out to partnerships team and ask about it, to see if it is even possible. Cause currently similarly to you, we are forced to do something like this when someone signs up:

image
image1920×915 167 KB

2 Likes
17

Could you elaborate more on your specific use case? I see you explain it here in fairly broad terms, it would be good to actually see what kind of product you have. If you want, feel free to DM me with the information if it is sensitive.

While I cannot give you a conclusive reply about what your app would be categorized as, as we need to review the entire information about the app before making a decision, since you say you are managing the lifecycle of Roblox resources (groups? permissions? maybe also games?) it would most likely fall into Creation & Productivity Tools or User Tools depending on what the app is, and not in Account Linking Tools. In this case, you’re fine to have the group:read scope.

Again this is not a statement you can draw any conclusions from as I haven’t seen the whole app and it has to pass through proper moderation process. Just to take away some initial concerns.

3 Likes
18

It’s just a small typo, we’ll fix it, thank you.

3 Likes
19

At Roblox, the email address is a highly privileged field that we never even show unmasked in the first-party UI. It’s not feasible to produce this as an OAuth2.0 scope we’d allow third-party apps to pull down unless that changes. Sorry for the inconvenience.

It would help if you can make a post about the problem you’re having that you’re trying to solve. It might not be “I don’t have the email” but more like “I want to send notifications to users” I’d reckon?

5 Likes
20

I just think that email scope is one of the most basic OAuth 2.0 scopes that most (if not all) other providers provide, and it could be easily be added just with the “:red_circle:” (high risk) scope for users when authenticating. Personally as a platform highly related to Roblox (music distribution to the catalog), having to add a special pop up just cause the auth provider is lacking a basic feature is simply, limiting?

1 Like