Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/stuyk/discord-oauth-guide

A guide that focuses on Discord Authentication, and the inherit advantages / disadvantages for alt:V using different design patterns
https://github.com/stuyk/discord-oauth-guide

Last synced: 18 days ago
JSON representation

A guide that focuses on Discord Authentication, and the inherit advantages / disadvantages for alt:V using different design patterns

Host: GitHub
URL: https://github.com/stuyk/discord-oauth-guide
Owner: Stuyk
Created: 2023-10-12T15:59:03.000Z (about 1 year ago)
Default Branch: main
Last Pushed: 2023-10-12T16:52:21.000Z (about 1 year ago)
Last Synced: 2024-05-01T16:36:21.290Z (8 months ago)
Size: 12.7 KB
Stars: 1
Watchers: 2
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# Discord oAuth2 Guide

A guide that focuses on Discord Authentication, and the inherit advantages / disadvantages for alt:V using different design patterns.

## Introduction

In almost 99% of cases oAuth2 requires the end user to authenticate through an exteral server with discord redirecting the user's bearer token to that server.

However, there are `other` ways to effectively authenticate a user in a non-traditional way.

Let's talk about some of those and their inherit advantages and disadvantages.

## Scoring

- Safety means there's no inherit flaws about using this format
- Higher is better

- Reliability means how reliable it will be for users using this format
- Higher is better

- Difficult means how hard it is to implement
- Lower is better

## Regular oAuth2

1. User visits a URL like this:
```ts
const oAuthURL =
`https://discord.com/api/oauth2/authorize?client_id=` +
`VAR_CLIENT_ID` +
`&redirect_uri=` +
`VAR_REDIRECT_URI` +
`&response_type=code&scope=identify`;
```
2. User authorizes through Discord
3. The bearer token is passed to the `VAR_REDIRECT_URI`
4. The server takes the bearer token and exchanges it for the user's information
5. You now have identified who the client is.

### Pros

- 100% proof the client is who they say they are
- Seamless experience outside of a game

### Cons

- Requires tabbing out into a browser
- Requires hosting a server with exposed endpoints to ingest the bearer token
- Used inside of a WebView / CEF instance, it requires them to login again
- Requires additional firewall setup
- Requires some form of static endpoint

Difficulty: 5/10

Reliability: 10/10

Safety: 100%

## Discord Bot Message

_The discord bot must be bound to the game server_

1. User joins a server, or starts a game.
2. The client is given a unique identifier / password
3. The bot displays that uid on-screen
4. The client takes the unique identifier / password and is told to DM a bot.
5. User DMs the bot and the message is recieved with the correct identifier / password
6. The bot has now linked the user to the client and can do a login

### Pros

- 100% proof the client is who they say they are
- No exposed endpoints
- Zero configuration for ports, and firewalls

### Cons

- Requires tabbing out into a browser, or opening the Discord Overlay
- Can be a bit confusing for the user the first time they do it
- User must have their DMs open
- User must be in the same server as the Discord Bot

Difficulty: 3/10

Reliability: 10/10

Safety: 100%

## Integrated Client

1. Your software / client must correctly have the Discord SDK Setup (alt:V does this)
2. You use internal APIs to get bearer token
3. Bearer token passed up from client to server
4. Exchange bearer for client information
5. Now know who the client is

### Pros

- Near seamless experience if they have the Discord Application

### Cons

- Does not always work (your experience may vary, and so will your users)
- Requires user to tab out
- Client must have discord application on their desktop
- Client must have application open before opening game, software, etc.
- Does not work in browser

Difficult: 4/10

Reliability: 3/10

Safety: 100%

## Discord RPC (unavailable)

This method requires the Discord Application and `rpc` but is currently closed beta, and unavailable

1. Client-side makes an rpc request to discord application
2. Returns access token
3. Access token exchanged on server-side
4. That's it

### Pros

- Seems simple
- Near seamless experience if they have the Discord Application

### Cons

- Client must have discord application on their desktop
- Client must have application open before opening game, software, etc.
- Client identifier can be spoofed, and is a major vulnerability

Difficult: 3/10

Reliability: 3/10

Safety: 100%