A while ago I did the feedback thing to apply for access to the new early access version of oauth. If we where to get accepted we would get some kinda of notice I assume? And how can we confirm that it was sent correctly?
4 Likes
How about we donāt have a id? Because I donāt even have a id except a school id. Some of us doesnāt have id, and etc. If we are in the devforum that mean we are 13+. This is unfair to people who is trying to test out it, but like I just only have a school id
5 Likes
they dont care about your age they just want your data and dont have reports about some oauth2 apps
3 Likes
We agree it is not an ideal solution for some the reasons you and others above have provided and Iāve started a discussion internally some time ago on what we could do to improve it in the future.
Unfortunately canāt promise here if/when an alternative solution will arise. Itās a hard problem because we need to balance usage against safety. For now just want you to know we hear the concern and weāll think about it going forward.
This is incorrect, we donāt persist the ID data. Please refer to our help article:
https://en.help.roblox.com/hc/en-us/articles/4407276151188
The age verification feature is only related to OAuth2.0 feature in that we use it as a gate to discourage abusers.
14 Likes
Itās the userās responsibility to not download malicious Applications/ visit a ābadā Website.
I understand that there need to be much security with uploading Models/etc, but not with accessing Users Name/Id. It would be better, if we would just have to verify our Phone Number and our Account Age is more than 100. (Just some examples)
12 Likes
I really feel like this is will be a very useful tool for us developers that build external tools for Roblox. However at the minuite OAuth 2.0 seems pretty useless as it doesnāt give us the same features as API Keys. It would be nice if we could use the OAuth for Datastores. They did allowed this for the messaging service which OAuth 2.0 can handle but not for any other Open Cloud API Key features. I hope there is a plan to add all these.
At the minuite Iām working on an external website for developers to access their datastores using their API Key, however the setup for developers to link their game to my website can be quite complex. I donāt want to develop my website to use both OAuth 2.0 and API Keys since that would make it even more complex.
Iād like to know is Roblox planning on adding more features like the Datastore API to OAuth 2.0?
12 Likes
Agree we could have different rigor based on the scopes you need. This is not yet planned but itās one of the angles that was being discussed.
This is the āeasyā stance to take but we take safety very seriously as a platform as we have a lot of young users, and this is a brand new feature that we may not yet fully understand the abuse patterns of, so weāre being cautious here on the publishing end as well, at least for the time being.
10 Likes
Are there any plans to allow things such as Datastore API access for OAuth 2.0 just like API Keys? Since messaging service is available accross OAuth and API Key
9 Likes
I saw your message above (I read all posts in this thread). I donāt know the answer atm so I didnāt respond yet. Iāve forwarded that question already, thanks.
9 Likes
I canāt go into too much detail here, but currently we do not provide this functionality on oauth for privacy/compliance-related concerns. Itās not likely this will change in the near-term future. Iāve forwarded your request to the product manager so theyāre aware regardless, though.
We recommend using API keys as a mechanism for interacting with your own universeās data stores. (Use API keys when handling your own resources, and use OAuth when handling othersā resources.)
9 Likes
Could you elaborate this use case and how OAuth2 can help?
7 Likes
I was thinking maybe it would be easier for you to send an API Key as a response when the user connects their account using OAuth and developers could therefore use the already existing Open Cloud API rather than yous having to make an entire new api for OAuth that would support the same features as Open Cloud.
7 Likes
Negative, they are completely different protocols and the tokens have different meanings. It is intentional that some scopes are available for OAuth2.0 and some are only for API Keys as I described in my previous message. (privacy/policy reasons)
Going forward we will likely need to make similar decisions based on privacy/policy reasons. Sorry for the inconvenience. Feel free to keep raising your need for these scopes (preferably in a separate thread in #feature-requests) if you need something available to OAuth2.0 that currently is not.
API key should be used for your own resources, and OAuth2.0 when requesting access to resources of others.
6 Likes
What if Roblox assigned a random email how apple does when using login with apple
Ouath2 App only sees the random-email@example
roblox sends emails from radndom-email@example to real-email@example acting like a middle man
and the user can revoke the email at anytime
8 Likes
I recommend setting up a feature request to talk specifically about this problem (wanting user email addresses for X reasons), so you can keep bumping that with use cases and needs, and posting suggested solutions like that, even after this announcement here closes.
If you do not currently have permission to file a feature request you can work with someone who does and co-author it. (apologies for the inconvenience there)
Please make sure that the feature request is about the problem (you need email addresses for X reasons), rather than this specific proposed solution you have here.
7 Likes
Can we get sorting and filtering for choosing an experience while logging in? Itās super tedious for those with lots of games to go through them all trying to find the right one. Be able to search by title or place id, filter by date modified or created, etc would be great.
7 Likes
I think it would be fairly beneficial to add a scope returning a userās Verification Status into the oAuth2 Flow. For example, on ClearlyDev we include Roblox oAuth2 Authentication as well as Discord and Classic Email + Password authentication. For certain features we think it would be beneficial to age-gate them.
An example response for this scope could include the userās age range:
- 13-17
- 18+
5 Likes
It would also be nice to give the user more Information on why they canāt use this application if they are under 13 years old. The most support Request the RoVer Discord Server gets, is why they get this issue.
RoVer has a Help Page describing this, but no one is reading it as RoVer canāt determine if the user is underage nor can it link them to the Support Article on the Roblox Site.
Tdlr: Let us link a Support Article (written by us) and if we donāt have one, link the User to the Robloxās one.
7 Likes
So these are two different use cases right?
- Wanting āuser verification statusā; do you mean whether user is age-verified? or any kind of verification? (phone or ID)
- Wanting to know the userās age range.
Can you explain more about the former use case? Could we enforce this for you on the authorization dialog (e.g. option on your app settings) instead of you needing to do it yourself in your app? And same for the latter.
7 Likes
You should never end up in a situation where a 13- user hits the authorization dialog in this configuration as Discord doesnāt cater to 13- users as per their TOS, and RoVer and similar verification bots are primarily Discord-based.
I recommend following up with Discord on this concern if you believe that you are aware of users of their platform that you presume are violating the Discord TOS.
6 Likes