[Public Beta] Building Your Applications with OAuth 2.0

Most accounts are 13- as the account owner has set their Birthday incorrectly.
In rare cases the user is actually 13-, but normally they can prove that they are older than 13.

I suppose a scope for either could both potentially have their uses: Seeing if they are ID or Phone verified (or both!) could help confirm that a user is a genuine user.

On the topic of age-gating, following the recent release of 17+ Experiences, some Developers on the ClearlyDev platform have recently started publishing assets that could potentially require a game’s age-rating to be marked 17+.

If we can safely use a Roblox User’s Age Range - as could be returned by the oAuth2 Flow with a scope - we would be able to ensure that Roblox Content Policies are being upheld, even though they are off the Roblox Platform itself.

We could obviously integrate our own ID Verification system powered by a third-party provider, however as the number of users using our Roblox Authentication option increases, we think it could be beneficial if this data was returned by Roblox itself, as it is already proven to be viable data.

It may not be possible for us to specifically return the information due to privacy/policy reasons. (same reason we provide no API to read this per-user in-game) But we could probably investigate being able to set this on the app registration screen so it gates who can access your app, similar to experience guidelines.

The https://apis.roblox.com/oauth/v1/authorize end point (I omitted the client id and other params on purpose) is responding with http error 500 for me. It was working fine just 5 minutes ago and yesterday. Is this because the service is down or did I hit some sort of rate limit?

Edit: Its been 6 hours and it seems to be down for my friends too.
Edit 2: Its been a day and its still down. However https://authorize.roblox.com/, the link devforum uses for singing in with Roblox, which didn’t work for third party applications yesterday, is working perfectly fine for my third party app.

Do you mind sending me your full request body in a private message? I’ll take a look. This is definitely not happening across apps as you say that forum (and Studio for that matter) are logging in fine, so it is likely a specific request body causing the error if you are still seeing it.

How long do OAuth 2.0 login sessions last for?

At the moment we have a problem where once we login via the session it expires less than a day later and was hoping there was a set way to set expiration times.

You have touse the refresh token rather than the access token in your requests. Refresh tokens have to be retrieved every 24 hours I believe.

Is there documentation for that, because I can’t seem to find the difference between the two.

Yes, there is a Documentation for this.

In the last few days, I have asked users how old they are, when they get this error. Turns out, that roughly some users are actually underage, but the majority are older than 13 years. Here, it would be nice to link an Article in the error Message.

I don’t really follow how the part you quote answers Ash’s question.

The answer is here: OAuth 2.0 3rd Party App Support (Beta) | Documentation - Roblox Creator Hub

The refresh tokens for any user are valid for 6 months after authorization. After that, the user would need to re-authorize your app. If the user re-authorizes at least once every 6 month period, your app would never be de-authorized.

The access token is valid for 15 minutes but you can get another one with the current refresh token at any time that the refresh tokens are valid.

You may have noticed that I provided the same Documentation as you. The Part I quoted has nothing to do with Ash’s Question.

Bless, I was blind thank you.

Char Limit

Is a scope for tracking player activity planned? I feel like that would be a fairly important and useful scope to have.

What player activity are you thinking about? Can you explain the use cases?

For example how much time a player has spent in your game. Would be useful for some groups that have a quota for how much time their staff have to spend in-game.

I’m not aware we are tracking play time for each individual user. We aggregate the avg. session time for analytics purpose but that’s all anonymous.

Similar to what Discord have for user activity. It would give applications a whole new range of possibilities, especially for groups if they plan on tracking user activities in the game and rewarding it. Also, based on how things are at the moment, a user would be required to share their game activity with the entire platform, instead of them being able to grant specific permissions to an application.

If the concern is protecting the interests of player privacy, it seems counterintuitive to force a player to share their activity on a larger scale.

A very specific example would be keeping track of individual player activity in multiple games for a group to reward individuals with out-of-game rewards, i.e. a promotion in the group, incentives determined by group management

Can’t you achieve this today by sending join/leave messages to your own service from the experience itself, via HttpService, whenever a player starts and stops a session? It doesn’t seem like you need to do this via OAuth2.0 since you fully control the experiences where the users are playing.

What about cases where you don’t have full control over the experiences where the users are playing? And if you are scaling up a project where you may have different projects connecting to the same application, you’d have to have many games posting to the same server.

Instead of that method, you could have a system whereby users’ activity is tracked and their game activity can be recorded by the application.

I don’t understand how that method of forcing a bottleneck would be preferable over using Roblox’s existing native player activity system.

Thanks for explaining further. I don’t think we currently store “playtime of a user per universe in a given date range” in a way that we could easily expose it via web API currently. Given the niche nature of the use case plus the potentially high engineering cost, just being realistic that you probably shouldn’t expect this to be implemented soon on OAuth2.0, and for the time being would recommend the approach mentioned above where you record start/stop messages if you need this soon. @~dragonknightflies (product manager) has seen and is aware of your request, though this does not guarantee this will be implemented.