Log in with ROBLOX, OAuth, SSO

Hi, I’m the creator of Scripting Helpers, RoVer, and other Roblox-related websites and apps. All of these services have one thing in common: Roblox account verification.

The problem with the way things are now

Unfortunately, Roblox hasn’t provided us with an actual single sign-on API, so I along with many other users with similar services must resort to verifying users in the following ways:

• The user places a code that we generate in their profile, and we check for it. Previously, this worked flawlessly (however was typically a major inconvenience for the user). However, with Roblox’s new filter updates, most users can’t reliably use this method anymore. I’ve even changed my systems to use strings of normal words (like “dog, cat, panda, tiger, cat” etc) but even that gets filtered sometimes. Additionally, this makes the codes very long which in turn makes users have to delete their actual Bio to put this code in. Very user unfriendly.

• The user joins a game and enters a code or clicks a button. This presents a major security risk because with every new Roblox place leak, it presents the opportunity for your web APIs and endpoints to be leaked to the public, essentially rendering your verification system pointless since anyone could verify as anyone. It’s possible to make this method more secure by actually checking if the given user is in the game, but it’s still not fool-proof.

• The developer creates a bot account that does some action on the Roblox website, typically dealing with PMs, friend requests, or assets. This method is flawed because it runs the risk of the bot getting rate limited by Roblox itself, the bot getting banned by Roblox for being a bot or spamming, etc. Additionally, this method can be insecure because the user might interact with the bot without even knowing they are a bot. For example, some bots will send a friend request to the user to verify them if they accept it. This is bad, because some users might just accept all friend requests they get.

• So, we’re left here, with no good way to actually know who somebody is without using the absolute worst method possible: Asking for their username and password. Some websites actually do this. This is terrible for obvious reasons.

What Roblox can do to fix it

So, what can Roblox do? Well, I’m sure everyone has used single sign-on before. Ever seen anything that says “Sign in with Facebook”, “Sign in with Twitter”, “Sign in with Discord”, etc? It’s standardized, trusted, and secure. All of these big websites provide this service because it creates a win-win-win situation: the user’s account and information is safe, the website gains publicity and more users, and reduces the amount of accounts stolen or phished, and the developer gets to use the website and account details on their own application.

What’s more? There’s already a protocol in place for this: OAuth 2.0. It’s not hard to implement, and users have asked for this feature in the past, but there hasn’t been much feedback or support whatsoever.

It is in Roblox’s best interest, and their users’ best interest, to implement this feature as soon as possible. If this feature was implemented, it would be used by thousands of users every day. It would be amazing for myself and other creators of third-party tools, and it would protect users from account scams, and it would strengthen Roblox as a whole. This is a very important feature that the website is missing!

Thank you for your time.

I completely support this request and would love you guys forever if you make it happen.

I’ve created several fan sites myself [ though sadly they all die out in time .-. ] that have used those ideas listed above and I gotta say its very discouraging for users to have to create an account and then verify their roblox identity like that. It would be a lot less of a hassle if this is a thing.

I agree that it’d benefit roblox as it would allow fan-sites to grow and would be like extensions to roblox to reach an even bigger and more active community.

Could you give a user story? I’m curious as to what sort of fan sites could benefit from this.

As a developer, I would make a website for my fans that would have all sorts of stuff from having them have this small community, to having News Feed sort of thing where I can let my game’s fans know whats coming/here, etc, but like having a site like that would require me to have users to register and verify their username so that I and the rest of the users know they aren’t trying to impersonate someone. though having to verify with the current methods is simple too discouraging and not safe for the users

This system would make my users feel comfortable verifying themselves without having to worry about any phishing attempts.

Though for Sites like Scripting Helpers, or Lua Learners [ may it rest in peace ] those sites help the non RBXDev [ or even RBXDevs ] developer community to get help from one another, though again users wouldn’t feel as safe as they would having this system in place.

Alright, but what specific thing needs verification? It just sounds like this is something that would be nice to have, not necessarily essential.

As ROBLOX communities expand, plenty of websites, external communities and even game-management websites are being created. A crucial issue in their creation and maintenance is properly verifying and validating the identity of users.

It’s in the best interest for ROBLOX to make sure that users are not impersonating each other on other ROBLOX-related communities, and this is a crucial stepping-stone in that direction.

I agree that this has been needed for a very long time, as others have said, especially for communities that rely on knowing knowing that they are who they say they are.

Pleaseee add this

Yes please. Sometimes I forget to reset my blurb and people see it and ask me what is that code.

Not to mention blurb codes are time-consuming and sometimes faulty methods of identification!

@evaera Totally agree with you. On the topic of workarounds however, do you think secure Http is possible with something like IP verification? There is a method to get the IP of running gameservers pretty reliably (through an http endpoint) which can verify that verification requests are originating from in-game (so even if someone gets the secret key, they will not be able to make requests unless they also get server script access).

I have a further concept which involves the server making an initial request and then receiving a private key stored in memory (which should even prevent exploiters who gain access to server scripts), but that is much more complex and difficult to implement.

They could just run the code from another game server of a place that they own
And the private key thing wouldn’t really help if someone unauthorized got access to the game, because they’d have access to that initial endpoint as well.

No, I mean that an IP can be verified to be coming from a place with a specific place ID and specific job ID. If someone tried to run their code from their own place the server would identify that the sending place is not the same as the allowed place. Since the verified place will always initiate a connection when it starts up (and before an exploiter can join the game to intercept it), the private key should be safe.

It would also only allow one connection per job ID (place) which can also be verified to be the same as the sending IP, so even if an exploiter both stole the source code and got server-side access to the place, they wouldn’t be able to initiate a connection because duplicate connections are not allowed.

No.

ROBLOX servers are just randomly selected, there’s no way to set such a system up without an extreme amount of work that would open up multiple security vulnerabilities. People have compiled large lists of every ROBLOX server IP, and if there was a way to check if a specific game was running on the IP (let alone the jobid) they could do things like selectively conduct DoS attacks on servers running games they don’t like. The way the server system works now is just a random server is selected and given the place to host. It’s not like certain servers are setup to only host certain games, and servers physically cannot host a game unless authorized to do so.

It would be actually really really cool! Support!

Also, a lot of people have a tendency to use one password for everything, so even if the website doesn’t ask directly they probably have a lot of players’ passwords. OAuth means that fan websites won’t have to handle passwords directly.

In conclusion, this features makes Roblox safer, users safer, and external communities safer. Pushing this update will massively improve the security of the Robloxian community.

Yes.

You realize this is a game server that Roblox clients connect to. If you connect to it, you have to know the IP and port to connect to… There is an easy way to basically “simulate a join” with http requests which will return the machine’s port and IP. There will never be a way to prevent this as long as people join game servers directly. The one and only prerequisite for this method is that the game server has to be joinable by any user. (And yes, abuse is a problem. In fact many specific games have been targeted by DoS attacks in the past)

Don’t believe me? Well, I’m not going to release the source code or an API to get IPs in fear of it being abused. But, I can still provide proof that I have this ability. This API will tell you if a request originates from the IP of a gameserver given a specific placeId and jobId:

print(game:GetService('HttpService'):GetAsync('https://froast.io/verify/' .. game.PlaceId .. '/' .. game.JobId))
(spamming this API will cause it to error, make requests sparingly)

Run it from a Roblox server (from a server that is not full and a place that anyone can join): it should return true. If you change the placeId or jobId, it will error because the server doesn’t exist. If you take the placeId and the jobId and then run it from a different IP (say, from your home computer, or a different roblox server) it will return false.

Bringing this thread back, as it’s relevant to very similar problems I am currently having. I’m working on an external Roblox analytics service called RTrack. It tracks open data such as visits, gamepass revenue, likes, dislikes, concurrent players and more.

However, not all data is publically available, and rightly so. I’d love to provide a service through RTrack which enabled developers to use the extensive analytical and transactional data Roblox stores, along with RTrack’s data that Roblox doesn’t store (or doesn’t make available), to provide insights into revenue sources, play time, retention and so much more, this data is invaluable in calculating incredibly useful insights and datasets for developers, and the best part is that it’s all there, going back years in the past.

This data is extremely underutilised, but I will likely not be able to use it. With no Roblox OAuth, my only option for user owned games would be to ask the user to manually navigate to an API endpoint, and go through hundreds or thousands of pages of data, copying their contents individually into RTrack. Despite the value of this data, it’s unlikely anyone would be willing to sit and do this.

For group owned games, the situation is slightly less dire, the user could accept a bot into their group, provide them with the correct permissions, and this would allow RTrack to make the necessary API requests. This solution is also far from perfect, however: individual users can only join a certain number of groups, meaning creating multiple bot accounts and adding to the massive pool of bots already cluttering the platform. Along with this, it groups hundreds of games together into one account, that if compromised would allow someone to view, edit and spend funds in all of these games. I would never ask my users to use a system that I don’t fully trust to be secure, so at the end of the day, RTrack is unlikely to ever be able to show this data to it’s users.

The current system is just asking for dangerous implementations for getting this API data. One solution to these problems would be to ask users to login with their Roblox username and password, or to store their ROBLOSECURITY cookie in order to make API requests. This would be extremely dangerous, but would be the only implementation available to allow external services to access authenticated APIs for users/ user owned games.

An OAuth system is unquestionably more secure; easier to use for both developers and users, allows users to refine permissions down to exactly the information they’d like a service to be able to see, access can quickly be disabled by revoking the OAuth key, and it requires no hacky solutions like bots. Please reconsider this feature, as I think developers could benefit massively from it.

On top of this, RTrack uses a similar system to the one @evaera mentioned in the OP for user authentication. A key is generated, which the user is then asked to enter into their account description. This is clunky, and not ideal. Unless you ask the user keeps this code in their description indefinitely to keep the accounts linked, it’s impossible for a user to revoke access to an account under their name on an external service if it was maliciously created.

I still believe that an OAuth system would be of much use to Developers and Players alike, I am still waiting to try and impliment this into my own account verification system, we can only hope that Roblox adds support for OAuth 2.0