[Q/Bug?] OAuth scope for character activities seems incorrect.

[louis-bompart]

Context

Trying to get characters basic info and activities info through the Destiny2/{membershipTypeId}/Profile/{membershipType}/?components=204,200 endpoint (simplified and uncoded for readability). to display it as close to live as possible

For testing purposes, I used the most privy settings available on my profile Like so, I'm sure that every shiver of info that I get is either globally available no matter what, or that it's the token that provides me the right to access it.

Issue

I've been really surprised to see that Read your Destiny vault and character inventory. is the scope required to access such data.

Discussion

I think there's quite a mismatch between the authorization a user would grant to an application doing only this, because the data it needs, imho, should be accessible through the scope Access items like your notifications, memberships, and recent activity.

Maybe I'm not using the right endpoint but I'd like to argue that, given that the endpoint I gave have the ability to filter information in its response, given the privacy and (sometimes lack of) data fields.

[floatingatoll]

I believe this is tied to #313 of a fashion, but separate from that — as an outsider I agree that this information shouldn’t be granted by the Vault Items scope.

[vthornheart-bng]

Indeed, you are correct - currently there are only two scopes that directly apply to Destiny information. ReadDestinyInventoryAndVault is an unfortunate misnomer in this situation and we need both a documentation update and an update to the user-readable information related to these scopes.

Shortly after the launch of Destiny 2, the scopes were repartitioned and simplified: in Destiny 1 we had split Inventory/Vault data from Vendor/Advisor data, and no longer wished to do that. Around November 2017 the ReadDestinyInventoryAndVault permission became the single permission that gives you access to all Destiny information related to Account and Character state, but indeed looking back at the changelists we never updated the strings nor documentation to reflect that.

You do need to ask for the permission that is currently listed as "inventory and vault" data to get this information, and we'll need you to continue asking for this permission in the future: however, I will make sure that the docs and strings related to the permission are brought up to date. Thank you for bringing this to my attention!

I will also update the "Access items like your notifications, memberships, and recent activity." permission to clarify that these are specifically for Bungie.net Notifications, Memberships, and Activity, and not for Destiny.

[vthornheart-bng]

I should also note that, if you're calling for someone other than yourself, you won't get activity information if your "Show my Progression" privacy checkbox is unchecked. That will hide your activity data unless you're accessing it for yourself with your own credentials.

[floatingatoll]

How does that show up in practice — maybe — any call to an endpoint to request activity information would return 401 Unauthorized, and any call to an endpoint that includes-but-is-not-limited-to activity information would return .. an empty hash {}?

[vthornheart-bng]

Good question - so if you ask for a component that the user has set to private, the specific component will come back with its data property set to null.

[vthornheart-bng]

This way you can query a user for multiple components, and any components you're not allowed to see will not be returned, but you'll still get the publicly exposed info.

[vthornheart-bng]

Did a little more looking into it, and indeed in this situation the problem is exclusively with your privacy settings. If you set your privacy settings to allow progression, you won't need the Vault and Inventory permission to access activity info.

[louis-bompart]

I should also note that, if you're calling for someone other than yourself, you won't get activity information if your "Show my Progression" privacy checkbox is unchecked. That will hide your activity data unless you're accessing it for yourself with your own credentials.

By 'yourself', you mean the user identified by the OAuth access-token, not the owner of the application, right ?

[vthornheart-bng]

Indeed - the authenticated user and not the app.