Oauth2/SAML for ROBLOX (Authenticate/Login with ROBLOX)

Authenticating with the ROBLOX API

Currently, as a ROBLOX and Web Developer, it is too hard to produce secure, user-friendly systems for Authentication on ROBLOX.

Accessible via https://auth.roblox.com/docs#!/ one observes the multiple APIs and Services provided, with the sole purpose of serving ROBLOX’s internal system on the site.

Recently it has come to the attention of many the difficulty in making a secure web authentication system, similar to that of the Discord Developers system, and many others. Developers, with the purpose of delivering friendly and useful services like web dashboards or bots, should be able to access an enriched system allowing them to provide user-focused information in the wrath of a secure, and surprisingly basic authentication system.

This is absolutely vital to the advance in development for some: doing so would allow easier access to key functions for developers, such as creating developer products via the API: an essential to groups which create hubs, as well as creating a user friendly site for users to authenticate with Discord Bots.

It is well known the instance of RoVerify, the previously renowned discord bot, which required user input of username and password to authenticate: this insecurity and lack of support from ROBLOX in providing a focused user interface under the safe domain of ROBLOX as well as the mistake of storing unhashed passwords led to a mass leakage of user information - leaving tens of thousands with captured accounts, funds and what otherwise had the potential to be a great system.

There is no limit to the advantageous factors in this implementation, the above are just some examples.

Currently the OAuth system, utilised by ROBLOX, has found the trouble of Captcha - this prevents developers from utilising the https://auth.roblox.com/v2/login endpoint to validate user information, as it requires a captcha token in its JSON payload.

There is also listed a SAML2 login system which, after investigation, I have found requires a "redirect_uri": "[REDIRECT_URI]" in it’s Payload. I speculate this is/would be utilizable by developers to create an authentication system, with scopes for different permissions and client_id's as well as client_secret's like many other APIs on the internet.

I am surprised at the fact that this has not yet been implemented considering the ease of doing so by developers in the ever-advancing era of technology though I understand the foreseeable issues regarding safety and security.

To tackle this issue I propose an on-site authorization service like discord, which has URL parameters for the redirect_uri as well as other key ingredients (i.e client_id, scope).

Furthermore the above solution could also implement the solution to the issue of Captcha: as roblox’s internal service could handle the authentication.

I feel then that, like other service providers, the OAuth should return useful information such as:

Cookie or Authorization => This would be adjusted to the scope so that it can be utilised for the required functions.

refresh_token and auth_expiry => This is key for developers and maintaining established systems as it allows one to use said token to retrieve another cookie/authorization token, without having to go through the authorization scope once again, and the expiry date/time-to-expiry would assist in maintaining without having to constantly check if it functions - whilst this is no hassle.

These simple implementations would enrich the community of Web Programming, and help us much in achieving yet-impossible goals in the future.

Thanks for reading

- Arvin


It would be amazing to see Roblox open up it’s OAuth endpoints to developers.

I’m currently in the process of making a standalone verification system (as part of a larger project) that I plan on eventually opening up to developers, that essentially allows users to associate their Roblox user ID with other third party services (e.g. Discord, Twitter, Google, Microsoft, Spotify, etc.), and will act as an OAuth provider for other developers to utilise in their own apps; however, the actual login for this system requires the user to authenticate with Roblox, and to do this, I must ask users to display a verification code (“EmojiCode”) on their profile. This could be a much simpler process if users could simply authenticate using officially supported endpoints, and would theoretically eradicate the need for this service altogether.


Bumping this.

I want to be able to write backend systems for managing groups and such without needing to rely on client tokens which are known to reset.

It’s also useful for outside use where the token cant just be stuffed into a script.

In the meantime, if you’re writing a desktop app, it’s possible to get the user’s auth token through the registry. I will not disclose how as it’s technically an exploit


This would be amazing for an off-site roblox website that I run. Currently, in order to even use the website features hidden behind the log-in page, the admins need to verify who you are in order to avoid impersonations and it doesn’t give anyone the good “log-in and go” feel that any roblox related website gives us like the UGC events page.


I was linked here by some developers in private messages (thanks for bringing this thread up with me).

Just wanted to note here that we are planning out an OAuth2.0 surface for developers to use, particularly starting out with the “login with Roblox” use case (via the OpenID Connect algorithm).

Please watch this space as our teams try to bring this to you soon-but-not-too-soon™.


Are there any plans to integrate the oAuth flow with the new api key feature when an oAuth flow is integrated.


They will use the same scopes/permissions, so you can use them on the same endpoints.

API keys are for accessing resources you own yourself, OAuth is for accessing resources of others that your application was authorized to access.


Hi, in this post you said “Please watch this space as our teams try to bring this to you soon-but-not-too-soon™.”

I was going to ask if there is any timeline, or at least a “by-end-of-year” type thing? It’d be nice to see something as Roblox continues to break methods we use to contact Roblox APIs, for instance, see: IP Changes Invalidate Cookie This is/was hurting all of our users, and creates major problems for large groups who rely on ranking tools/services to quickly handle tedious tasks.

This is actively in progress and we expect to release it some time later this year.

OAuth will support all the Open Cloud endpoints, anything you can use with an API key. If you need additional endpoints added to Open Cloud, you’re highly encouraged to suggest those in #feature-requests:website-features !


Humans are terrible estimators

After some bumps in the road this is released in public beta now: