Oauth2/SAML for ROBLOX (Authenticate/Login with ROBLOX)

Authenticating with the ROBLOX API

Currently, as a ROBLOX and Web Developer, it is too hard to produce secure, user-friendly systems for Authentication on ROBLOX.

Accessible via https://auth.roblox.com/docs#!/ one observes the multiple APIs and Services provided, with the sole purpose of serving ROBLOX’s internal system on the site.

Recently it has come to the attention of many the difficulty in making a secure web authentication system, similar to that of the Discord Developers system, and many others. Developers, with the purpose of delivering friendly and useful services like web dashboards or bots, should be able to access an enriched system allowing them to provide user-focused information in the wrath of a secure, and surprisingly basic authentication system.

This is absolutely vital to the advance in development for some: doing so would allow easier access to key functions for developers, such as creating developer products via the API: an essential to groups which create hubs, as well as creating a user friendly site for users to authenticate with Discord Bots.

It is well known the instance of RoVerify, the previously renowned discord bot, which required user input of username and password to authenticate: this insecurity and lack of support from ROBLOX in providing a focused user interface under the safe domain of ROBLOX as well as the mistake of storing unhashed passwords led to a mass leakage of user information - leaving tens of thousands with captured accounts, funds and what otherwise had the potential to be a great system.

There is no limit to the advantageous factors in this implementation, the above are just some examples.

Currently the OAuth system, utilised by ROBLOX, has found the trouble of Captcha - this prevents developers from utilising the https://auth.roblox.com/v2/login endpoint to validate user information, as it requires a captcha token in its JSON payload.

There is also listed a SAML2 login system which, after investigation, I have found requires a "redirect_uri": "[REDIRECT_URI]" in it’s Payload. I speculate this is/would be utilizable by developers to create an authentication system, with scopes for different permissions and client_id's as well as client_secret's like many other APIs on the internet.

I am surprised at the fact that this has not yet been implemented considering the ease of doing so by developers in the ever-advancing era of technology though I understand the foreseeable issues regarding safety and security.

To tackle this issue I propose an on-site authorization service like discord, which has URL parameters for the redirect_uri as well as other key ingredients (i.e client_id, scope).

Furthermore the above solution could also implement the solution to the issue of Captcha: as roblox’s internal service could handle the authentication.

I feel then that, like other service providers, the OAuth should return useful information such as:

Cookie or Authorization => This would be adjusted to the scope so that it can be utilised for the required functions.

refresh_token and auth_expiry => This is key for developers and maintaining established systems as it allows one to use said token to retrieve another cookie/authorization token, without having to go through the authorization scope once again, and the expiry date/time-to-expiry would assist in maintaining without having to constantly check if it functions - whilst this is no hassle.

These simple implementations would enrich the community of Web Programming, and help us much in achieving yet-impossible goals in the future.

Thanks for reading

- Arvin


It would be amazing to see Roblox open up it’s OAuth endpoints to developers.

I’m currently in the process of making a standalone verification system (as part of a larger project) that I plan on eventually opening up to developers, that essentially allows users to associate their Roblox user ID with other third party services (e.g. Discord, Twitter, Google, Microsoft, Spotify, etc.), and will act as an OAuth provider for other developers to utilise in their own apps; however, the actual login for this system requires the user to authenticate with Roblox, and to do this, I must ask users to display a verification code (“EmojiCode”) on their profile. This could be a much simpler process if users could simply authenticate using officially supported endpoints, and would theoretically eradicate the need for this service altogether.