Lol, Roblox already has all your data if you have a dev-ex profile. Could just base it on that …
This seems like what I wanted for months but ngl the Documentation is kinda bad, I wish somebody from the community could make a better one : /
This update will make verification with other services very easy with ROBLOX. I think this is a really great update for 3rd party services such as Bloxlink or a Networth Calculator. Really glad to see this!
thank you so much! oauth is great.
why would you authenticate to proxmox with roblox???
check their robux transactions
I’ll forward this feedback.
Yeah good point that it’s confusing. We are going to work on polishing up the way you test apps before publishing, this is just an initial stage for the public beta. See this part of the announcement text:
We’ll continue making further optimizations such as allowing you to add collaborators who can test the app, rather than the arbitrary 10-user limit.
This is a planned feature.
This will likely not be implemented because it has some abuse vectors if the app can make itself disappear from the user’s account settings. E.g. an app could start doing something malicious after some time and afterwards hide itself from the user’s account settings and this would be confusing to the user as to what app may have performed the malicious action.
If you persist the access/refresh token set, you can however use /v1/token/revoke to revoke that particular refresh token. So revoking is there on a per-session basis, but for the sake of clarity we will never remove an item from the user’s account settings unless the user revoked the app themselves.
I remember back before the closed-source module script update in 2019, many community businesses used something like this to provide automated services (Group ranking, job interviews/applications, in-game voting, etc.) Nice to see we finally have an alternative that keeps client info AND developer source code safe!
I Love this new feature! trough i can’t figure out how to set the authorize url up i’m trying to use the asset:write scope…
Update: … Now it seems to be the case to allways give me the “Error”: “Redirect URI is invalid for this application.” even know it seems to be correct.
tl;dr: API endpoint stability? /v1/create
is now /v1/assets
???
I have a build job for Jailbreak that used the published https://apis.roblox.com/assets/v1/
create endpoint successfully for many months, but it seems with this update the endpoint was CHANGED to https://apis.roblox.com/assets/v1/
assets for both API keys but also for OAuth apps.
Can we expect these URLs to remain stable in the future? I was very confused when my production builds stopped working.
EDIT: I see now that actually a lot of the API changes. No worries, it wasn’t too bad of a fix, but it did break things for us that were expected to be stable, perhaps not taking over the /v1/
Thanks for posting that, that doesn’t seem right. Following up internally what happened there and will get you a response.
Thanks for reaching out to us about the issue you had with our API. We’re sorry for any inconvenience caused and appreciate your feedback. It seems like you might have missed our previous announcement about the API shutdown. In future, we will ensure that creators receive more explicit notifications and announcements about any updates and changes related to our API. Your patience and understanding are much appreciated!
I did, thanks for the response!
Additionally, thank you to all who worked on OAuth, I have a good use for this. And also for the additional metadata from assets API
I am heavily in favor of implementing an alternate way for verifying that a user is OAuth-eligible. Although being ID-verified is a good deterrent for bad actors/applications, requiring an ID seems like a stretch when I can easily swap in Google or GitHub OAuth when the only thing I have provided to both platforms is a verified email address.
Coming soon…?
Awesome feature!
Basically RoVer or Bloxlink but with official Roblox support haha
seems like a good update but too confusing for people like me with a peanut brain
I’m currently finding the documentation for OAuth a bit inadequate. For instance, the PKCE information is very lacking and doesn’t actually provide an example of how you should be implementing this flow, rather just describing it, which is not great when this is meant to be a security feature. Implementing Authorization Flows flings you back to this section, which isn’t useful. The endpoint documentation describes the code_challenge
parameter as random_value_3
and “the result of applying the code_challenge_method to the code_verifier”, which tells me nothing about what I actually need to do to generate a valid value. Do I need to use a hex string? URL encoding? Turns out it’s base64url
, but nowhere in this documentation does it say this.
As someone who hasn’t worked with the PKCE extension until this point, I’ve had to go around and look at other platform’s documentation (OneLogin has a lot of good information on this, including code examples on how to implement it!) to finally work out my mistakes with my implementation.
This is probably because the documentation assumes you’re not writing your own authentication clients (since it points out the .well-known
configuration exists for client autoconfig) however I tend to do authentication myself for ease of integration.
I think that is a great way of going about it, however I believe it’s important to ensure the risk level indicators work. They all say ‘No risk level was provided’ except for openid
and profile
. Example:
I don’t understand why app names are unique.