Log in with ROBLOX, OAuth, SSO

Alright, but what specific thing needs verification? It just sounds like this is something that would be nice to have, not necessarily essential.

As ROBLOX communities expand, plenty of websites, external communities and even game-management websites are being created. A crucial issue in their creation and maintenance is properly verifying and validating the identity of users.

It’s in the best interest for ROBLOX to make sure that users are not impersonating each other on other ROBLOX-related communities, and this is a crucial stepping-stone in that direction.

I agree that this has been needed for a very long time, as others have said, especially for communities that rely on knowing knowing that they are who they say they are.

Pleaseee add this

Yes please. Sometimes I forget to reset my blurb and people see it and ask me what is that code.

Not to mention blurb codes are time-consuming and sometimes faulty methods of identification!

@evaera Totally agree with you. On the topic of workarounds however, do you think secure Http is possible with something like IP verification? There is a method to get the IP of running gameservers pretty reliably (through an http endpoint) which can verify that verification requests are originating from in-game (so even if someone gets the secret key, they will not be able to make requests unless they also get server script access).

I have a further concept which involves the server making an initial request and then receiving a private key stored in memory (which should even prevent exploiters who gain access to server scripts), but that is much more complex and difficult to implement.

They could just run the code from another game server of a place that they own
And the private key thing wouldn’t really help if someone unauthorized got access to the game, because they’d have access to that initial endpoint as well.

No, I mean that an IP can be verified to be coming from a place with a specific place ID and specific job ID. If someone tried to run their code from their own place the server would identify that the sending place is not the same as the allowed place. Since the verified place will always initiate a connection when it starts up (and before an exploiter can join the game to intercept it), the private key should be safe.

It would also only allow one connection per job ID (place) which can also be verified to be the same as the sending IP, so even if an exploiter both stole the source code and got server-side access to the place, they wouldn’t be able to initiate a connection because duplicate connections are not allowed.

No.

ROBLOX servers are just randomly selected, there’s no way to set such a system up without an extreme amount of work that would open up multiple security vulnerabilities. People have compiled large lists of every ROBLOX server IP, and if there was a way to check if a specific game was running on the IP (let alone the jobid) they could do things like selectively conduct DoS attacks on servers running games they don’t like. The way the server system works now is just a random server is selected and given the place to host. It’s not like certain servers are setup to only host certain games, and servers physically cannot host a game unless authorized to do so.

It would be actually really really cool! Support!

Also, a lot of people have a tendency to use one password for everything, so even if the website doesn’t ask directly they probably have a lot of players’ passwords. OAuth means that fan websites won’t have to handle passwords directly.

In conclusion, this features makes Roblox safer, users safer, and external communities safer. Pushing this update will massively improve the security of the Robloxian community.

Yes.

You realize this is a game server that Roblox clients connect to. If you connect to it, you have to know the IP and port to connect to… There is an easy way to basically “simulate a join” with http requests which will return the machine’s port and IP. There will never be a way to prevent this as long as people join game servers directly. The one and only prerequisite for this method is that the game server has to be joinable by any user. (And yes, abuse is a problem. In fact many specific games have been targeted by DoS attacks in the past)

Don’t believe me? Well, I’m not going to release the source code or an API to get IPs in fear of it being abused. But, I can still provide proof that I have this ability. This API will tell you if a request originates from the IP of a gameserver given a specific placeId and jobId:

print(game:GetService('HttpService'):GetAsync('https://froast.io/verify/' .. game.PlaceId .. '/' .. game.JobId))
(spamming this API will cause it to error, make requests sparingly)

Run it from a Roblox server (from a server that is not full and a place that anyone can join): it should return true. If you change the placeId or jobId, it will error because the server doesn’t exist. If you take the placeId and the jobId and then run it from a different IP (say, from your home computer, or a different roblox server) it will return false.

Bringing this thread back, as it’s relevant to very similar problems I am currently having. I’m working on an external Roblox analytics service called RTrack. It tracks open data such as visits, gamepass revenue, likes, dislikes, concurrent players and more.

However, not all data is publically available, and rightly so. I’d love to provide a service through RTrack which enabled developers to use the extensive analytical and transactional data Roblox stores, along with RTrack’s data that Roblox doesn’t store (or doesn’t make available), to provide insights into revenue sources, play time, retention and so much more, this data is invaluable in calculating incredibly useful insights and datasets for developers, and the best part is that it’s all there, going back years in the past.

This data is extremely underutilised, but I will likely not be able to use it. With no Roblox OAuth, my only option for user owned games would be to ask the user to manually navigate to an API endpoint, and go through hundreds or thousands of pages of data, copying their contents individually into RTrack. Despite the value of this data, it’s unlikely anyone would be willing to sit and do this.

For group owned games, the situation is slightly less dire, the user could accept a bot into their group, provide them with the correct permissions, and this would allow RTrack to make the necessary API requests. This solution is also far from perfect, however: individual users can only join a certain number of groups, meaning creating multiple bot accounts and adding to the massive pool of bots already cluttering the platform. Along with this, it groups hundreds of games together into one account, that if compromised would allow someone to view, edit and spend funds in all of these games. I would never ask my users to use a system that I don’t fully trust to be secure, so at the end of the day, RTrack is unlikely to ever be able to show this data to it’s users.

The current system is just asking for dangerous implementations for getting this API data. One solution to these problems would be to ask users to login with their Roblox username and password, or to store their ROBLOSECURITY cookie in order to make API requests. This would be extremely dangerous, but would be the only implementation available to allow external services to access authenticated APIs for users/ user owned games.

An OAuth system is unquestionably more secure; easier to use for both developers and users, allows users to refine permissions down to exactly the information they’d like a service to be able to see, access can quickly be disabled by revoking the OAuth key, and it requires no hacky solutions like bots. Please reconsider this feature, as I think developers could benefit massively from it.

On top of this, RTrack uses a similar system to the one @evaera mentioned in the OP for user authentication. A key is generated, which the user is then asked to enter into their account description. This is clunky, and not ideal. Unless you ask the user keeps this code in their description indefinitely to keep the accounts linked, it’s impossible for a user to revoke access to an account under their name on an external service if it was maliciously created.

I still believe that an OAuth system would be of much use to Developers and Players alike, I am still waiting to try and impliment this into my own account verification system, we can only hope that Roblox adds support for OAuth 2.0

It looks like Roblox is implementing the framework that was discussed at RDC for logging in with Roblox on the new events page:

image1895×922 55.3 KB

Previously, you had to create your own account to log in. If I had to guess, Roblox is testing the capabilities on a page partially operated by them in order to test it out.

Looks pretty similar to Google sign-ins.

Cross-posting:

This has been implemented!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.