Allow bots to be made aware of the user ID of connected accounts.

Comments

15 comments

  • DingleFlop

    I am not a bot, so I can see this information, even though I am not his friend. But a bot is forbidden from viewing this information.

    I can even click the little box on his steam to bring up his profile.... and lookie there, the URL has his steam user ID.

     

     

    My alternative is to implement my own OpenID solution, get my own token from steam and force the user to authenticate a second time, despite ONLY caring about the user ID...

    7
  • DingleFlop

    No. Not getting a user's ID through the OAuth2 flow....


    I mean getting this publicly viewable information that Discord already grabs, using it's own OAuth/OpenID flow, and allowing bots, and not just user accounts to see it. I don't care what info the bot has during an OAuth2 flow. It's not relevant to my suggestion.

    6
  • DingleFlop

    As an addendum... This really is public data, as it stands... If I wanted to I could just self-bot if I wanted to use this data maliciously, but us law abiding bot developers can't use this info.

    3
  • inGyni

    This is something i would love them to add to the API, it will make things hella easier, i am currently making my bot grab the steam id, so i can figure out the steam level of a user. I can't because there isn't an option to fetch connected accounts. Its nerve racking considering that users can see those ids, so its not really a "Privacy Concern".

    1
  • Sasino

    Was this implemented?

    1
  • KITRIK

    Any news on this topic?

    1
  • plomdawg

    I would also love to have this for my bot

    1
  • Kangst

    Erkin Alp has the actual reason here.  It may be public info for "you" to view.  "You" cannot view 1000s of these and add them all to a database and email spam them all within 15 seconds.

    What you want to achieve is possible by using an authorization code grant flow.  That is the REASON for an authorization code grant consent prompt.  It informs the human of what functionality the bot they are about to install has access to to pass along the liability in an informed manner.

    This is pretty standard professional dev practices. If you disagree or want a deeper realization with this, then I'd suggest light reading at owasp.org to get a better understanding of why safeguards like this are actually ethical and responsible development standards.

    1
  • DingleFlop

    Howdy!

    It's me from the future, having worked in a professional environment for the last couple of years.

    Younger bot-developer me hated this, but I see why it's designed this way now.

    It moves the burden of privacy from "Oh, you joined a server, all of your connected accounts have been automatically cataloged by a server bot!" to "Hey, if you REALLY want this bot to see your profile data, click here!"

    As was mentioned, it is a more ethical way to provide access to this data, even if hosting an OAuth2 endpoint is a pain in the ass for many of the people using this API (generally teenagers trying to do a thing.) In retrospect, this was a very grumpy, ranty way of letting out the frustration of getting a steam integration bot, rather than any real call for change.

    Anyway, it really goes to show that generally smarter people than you have designed these things, and you shouldn't be too quick to jump the gun just because you lack a fundamental understanding of why things were architected a certain way.

    1
  • Kangst

    DingleFlop thats fantastic!

    Honestly, none of us can say we haven't looked back at our previous work or attempts at solving a problem and been entirely happy. Everyday we learn more and can refine our approaches. And this thread is great for two reasons, celebrating your own reflection (seriously it joys me to hear this) and help pass along this journey to anyone else learning and unfamiliar with the whys and limitations.

    1
  • DingleFlop

    In addition, though, this feature should read something along the lines of:

    "Discord should host an authentication portal for 3rd party bots to access data without using OAuth2."

    There's no reason Discord can't handle the authentication themselves, then just notify the bot through the API that it can view connections for a specific user. Just makes the API more clunky for beginners, which again, are most of the people using this API.

    1
  • PiggyPlex

    If what you mean is getting a user's ID when adding a bot through the OAuth2 flow, this can already be achieved. You can do this by using the identify scope as well as callbacks.

    Example:

    https://discordapp.com/oauth2/authorize?response_type=code&redirect_uri=CALLBACK URL&scope=identify%20bot&client_id=BOT ID

    Make sure to set your redirect URL and add a callback on to your bot, and you're ready to go. It should add the bot and give you the basic user information, apart from the email address. To get the email address of a user, add the email scope. I hope this helped you.

    0
  • aoisensi

    :+1: Please Discord

    0
  • tudorhc5

    Again, any update ? @Discord, please do implement this.

    0
  • Erkin Alp

    Not done by design, to protect privacy of humans.

    0

Please sign in to leave a comment.