A proper SSO, oauth2 and/or OIDC endpoint & Public VRChat API?

So I have no idea if this was already requested by someone. But this is something that I see happen often in groups, worlds and a ton of places regarding Discord servers and other places where being able to authenticate yourself… Would be VERY benifitial to a server and/or group.

One of these examples, is proving you own an account. For example, there is a group that asks for your VRChat username to grant you access to certain parts of a world (Closed off spaces to discord members only), these are used for events. Gatherings, and so on.

I could create several alts and just yeet them over to change the username, and badabing badaboem. I have given somewhat full access to those users. But I don’t have to login as them. This makes it harder to know who is who, so having any way to verify if someone is who they say they are (oauth being a great example) would be very usefull. Especially because there isn’t an API that allows us to look through usernames, and needs our ID to authenticate.

The qustion here is, does VRC have plans for any public or oauth API within their milestones. Or is this not a priority? It’s in creator feedback, because I have no idea where to best put it. And as a programmer, I felt this to be the best place. Feel free to move if needed.

3 Likes

It’s a fairly common request, and there’s also people on the team that want to do this – but it isn’t an easy lift for us. There’s some technical hurdles as well as some other questions to answer first, and also the age-old question of “okay, now find someone to do it” :upside_down_face:

So, request is definitely heard and on our radar, but no plans to implement.

4 Likes

I’m assuming most of the hurdles are stuff like access moderation, how the data is used. If people have a proper privacy policy for their application and so on?

And especially the public API part, it would need a bunch of ratelimiting, abuse prevention and granular data access to be used without causing privacy issue’s, or similair?

1 Like

Yeah, the feature is wanted by a lot of people to make projects related to VRChat.

We will have to wait in the meantime or’find alternatives to ensure that a user has access to a vrchat account.

1 Like

Any suggestions? I’ve tried thinking about methods like having people verify by putting something in their status or bio (Like RoVer and Bloxlink did in the past, for verification before OAUTH came out through the cloud docs). But as far as I could find, we are unable to search based on username in the unofficial api

One thing I found is the VRChat API endpoint:
https://vrchat.com/api/1/users?sort=relevance&fuzzy=false&search=<ENTER USERNAME HERE>&n=12

But I don’t know if we’re allowed to use it, as it requires an authentication token to work.

I have a project in WIP that was trying to make something like this happend, where you would provide a third party website that stores links between vrchat and other services, mostly to be able to link discord and vrchat.

And indeed i based my strategy on a token that is pre generated and that has to be put on an account, kinda like DNS works, but i haven’t finished it yet, and i’m pretty bad at marketing.

Technically what is the closest to that is https://vrcprofile.com by @narazaka that links multiple services. Hopefully we can try to group everyone that needs that feature and maybe build a centralized solution, in wait of the official oauth service

Recon you could add me on Discord (codixer), maybe I can brainstorm with you?

for now let’s keep on forum private messages, but if you’re really interested, here is the link (i just need to find time to work on it)

Sure, not a problem :)

Other idea’s that I had is using the StringLoader to request an code that you have to enter onto a website. But I am not 100% sure how secure this is, considering worlds could be skimmed? Or does StringLoader run on the server side? (No idea, I’m not a dev. Guessing based on what I did for other games)

I’d say using stringloader as a way to communicate with api’s is a bypass of vrchat’s features.
I wouldn’t recommend that

So very developer unfriendly code I assume? Not sure though, just guessing.

Heya, I’ve been running a service for discord-to-vrchat linking stuff as well (https://vrclinking.com) for the past ~2 years, but yea a proper method for ensuring that user owns a VRChat account they’re trying to link is hard, especially if you’re working in large numbers, I’m very much praying for proper OAUTH myself :laughing: Currently around 11K linked users from over 100 different discord servers and none of those are in any way verified :sweat: Because as I figure out, telling users to put 5 letters in their bio is too complicated for half the people.

1 Like

That is the main issue, that requires a manual action while the whole point of oauth is to be easy to do. @Codixer mentionned something interesting with doing something like authenticate by connecting to a world in game, but i’m not sure that would be easier.

Didn’t know about your project Miner, that’s interesting. So is the bot only working by user declaring what account they have and you working with it ?

Problem is that in-world something like this won’t really prevent users from linking to other people’s account, let’s say I wanted to link to Tupper’s account, all I need to do is do whatever steps I need to do on the website, and then the website tells me to go to world and confirm I’m tupper, how’s it gonna do that ? String loading of course but its so easy to “emulate” string loading request, they are not authenticated in any way, meaning that all I need to do is figure out from game-logs how the linking process confirmation works and then I can link myself as anyone I want, like Tupper for example.

The only “proper” way is to check using API something on the user’s account that they change or do that cannot be faked, eg.

  • Set bio
  • Set Profile Link
  • Change Status
  • Request to Join Group
  • Send Friend Request
    Out of these, pretty much all but Sending a Friend request I’ve tested and people find them too complicated.

How I do it for VRCLinking is I ask user for their name or id, then find them profile based on either of those, and store the ID and name, no checks involved, I have some precautions and cooldowns in place to prevent people from changing their account link often, but no other checks are in place, I’ve figured that it is quite rare that people link as someone else. However, it works here like this so well, probably mainly because VRCLinking is used to “grant” you something in-world. So ofc they won’t link as some random user.
There is some reporting in place that reports if a user is re-linking between accounts suspiciously, but I only ever remember ~2 users triggering the conditions.

1 Like

Not really what I had in mind. You could have a bot user that would check who joins. But all of this is just schechy workarounds. As long as we don’t have oauth, it will feel too hard for most users.

But I believe that if we plan to use this we can prepare our projects with a bypass with acound data to validate and later add oauth as a simpler method. That way we can build value in anticipation.

Hopefully I find time to work on it lmao.

Well, oauth does exist. It’s how we login into ask.vrchat.com, however I am betting my marbles that the oauth system is still behind a ton of bars that will take a new system to unlock.

Oyeah. It’s not about it existing, it’s about limiting ours possibilities. Prosit that accessing vrchat through this gives you way to much powers. They need a way to restrain before opening it more.

They have OAuth done already, they already give it to their partners, for example Furality https://furality.org/ has access to it. They just need to open it up to public use.