[Public Beta] Building Your Applications with OAuth 2.0

Hooksmith · June 9, 2023, 3:02pm

If they are strictly oauth-related you are okay to post these here, or you can use the bug reporting process for it.

If they are not oauth-related yes please use the bug reporting process.

fivefactor · June 9, 2023, 6:34pm

Are there any plans for more APIs to be accessible using OAuth? Specifically in regards to experience analytics, it would be extremely useful to be able to use the API to access the analytics from the creator dashboard.

Hooksmith · June 10, 2023, 9:35pm

Hey folks I checked with the team and can confirm we have people working on group / group role management scopes for Open Cloud and all of your use cases for group API are covered properly in the spec. We’re going to roll this out iteratively (likely starting with read-only APIs and scopes) but the goal is to eventually have all group management supported via Open Cloud. We understand the priority of this.

Hooksmith · June 10, 2023, 9:37pm

On this comment specifically, this seems unnecessary once there is Open Cloud support for group management. Instead of using a separate account you would have the owner of the group authorize your app to use the APIs.

GamingLamaWasTaken · June 12, 2023, 3:08pm

thank you for providing me with this information. I have decided to go with a well-documented bug report through the @Bug-Support team and I am looking to get this OAuth 2.0 bug fixed soon. Is there anyone specific who I should add to the bug report?

lewisakura · June 12, 2023, 6:41pm

I have written a tutorial on implementing the most secure OAuth flow possible, aptly named, well…

This was originally a reply, but because of it’s comical length I have split it into a separate post as to not pollute this one.

fivefactor · June 13, 2023, 1:48am

Adding on to this request, are there any plans to potentially add a “groups” scope to OAuth? For example, this would allow the application to perform requests on groups the user owns

Hooksmith · June 13, 2023, 1:48am

I checked and it’s covered in the same work I mentioned in this post: [Public Beta] Building Your Applications with OAuth 2.0 - #102 by Hooksmith

fivefactor · June 13, 2023, 1:50am

Got it, did not see that. Were there any previous mentions of an analytics API (as I mentioned in my previous post)?

Hooksmith · June 13, 2023, 1:52am

The vision is all these features should be available through Open Cloud some day but it’s going to take us a while to get there.

Unfortunately I did not see mention of analytics API in the immediate priority list of stuff to implement, but I noted down and forwarded your post above (as well as all other requests on this thread).

TheHeadIessHorseman · June 13, 2023, 3:05am

Is there any plans to allow us to get the users email?

Hooksmith · June 13, 2023, 3:20pm

Answered in [Public Beta] Building Your Applications with OAuth 2.0 - #88 by Hooksmith

No plans to do this at the moment. There’s a large security/privacy burden here that we would need to overcome. I wouldn’t expect it happen soon or at all at this time.

TheHeadIessHorseman · June 13, 2023, 3:59pm

Gotcha, thanks for the update. Was curious just so for a discourse instance I no longer would have to ask for email and have email verification. Hopefully this will come one day.

foodeggs7 · June 14, 2023, 2:10pm

Can you build websites wit oauth2 or something like that

LifeDigger · June 14, 2023, 6:01pm

Depends on what you define as “build”. Websites are where you can see OAuth2 commonly because it is often used as a quicker log in however OAuth2 is not the only thing you need to build a website.

What OAuth2 is, is basically just a way for you to easily have someone give a third party app permission to access and use resources someone has.

foodeggs7 · June 14, 2023, 6:12pm

Ok and what can the 3 party apps be

LifeDigger · June 14, 2023, 6:42pm

Third party apps is anything which is outside of Roblox basically. So for example websites, phone apps, bots.

foodeggs7 · June 14, 2023, 6:44pm

Sall i so can add my own website

LifeDigger · June 14, 2023, 6:51pm

Yea that should work if you where to add it to your site. You basically just need to direct the user when they click a button or something such as that to the URL where the user gives authentication (you just then follow either one of the authentication flows and get the refresh token and access token).

OriginalArkus · June 14, 2023, 10:42pm

I’ve been working on setting up one of the projects I work on to use the new Roblox OAuth 2.0 infrastructure, but unfortunately I’ve hit a few problems with defining redirect URLs.

The comment underneath the textbox for redirect URLs states that " Must have secure SSL certificate (starts with https://) unless host name is localhost". I have a locally trusted certificate (self-signed) for localhost and HTTPS is mandatory for my application but not permitted as a redirect URL - it seems to only accept localhost without https. HTTPS should be optional (but maybe encouraged) for localhost, not forbidden! My code just doesn’t listen to HTTP other than to immediately use a 302 to upgrade to HTTPS, so I can’t currently use localhost as a development URL.

As a consequence, I currently can’t build my test integration with Roblox. Can this be investigated and resolved?