Feature request: OAuth support for third party apps

[hundeva]

Even though it is not a bug, I felt like this deserves its own issue. Afaik the League Friends app has OAuth support, I would like to see this extended to third party apps.

[Querijn]

Copypasting this for clarity

RSO is Riot Sign-On, the login logic you see whenever you access anything that requires your account.

Awhile back, they stopped doing updates on RSO's timeline because its a very slow moving beast. You can think of Riot as a few dozen internal teams. They each have their own goals and can move their group in a direction that they best see fit for Riot and League of Legends. Obviously, upper management has goals and things in mind, but these groups can strive for those goals in any fashion they like, as they have that freedom.

Now, the API itself is nothing more than an edge layer that exposes the internal APIs. Each endpoint you hit, is the same endpoints (more or less) that the game uses itself, the API ones are exposed to the public. The API endpoints are all managed by different internal teams. One team could control /summoner/ and another the /match/ endpoints. Meaning if the API team wanted to add a new field to all endpoints then every team would have to do this, as the internal teams control their respective API endpoints not the API team itself.

Now on top of this those teams could say "Well I know you want this but its not a priority for us right now, sorry". And BOOM, the idea is dead.

Same deal with the RSO, however, rather than adding a simple field they are now exposing private data which on top of not being a priority for some teams, it may also be something certain teams refuse to do, as they think it will be too big of a risk. If Developer Jimmy finds a flaw in the RSO API, they could start pulling actual sensitive and private data, that's a very real and scary thing, because you also use RSO to go view things like your account information and billing, etc.

So part of the battle is still in defining how they would actually go about this in a safe way, on top of making it an actual priority for every single team that would be involved with it.

TLDR: RSO is a goal, but will take time due to security and priority concerns.

[Sauraus]

One way of doing this with substantially less risk would be to ditch the home-grown auth solution and replace it with something like https://auth0.com or https://aws.amazon.com/cognito/.

[Tiedye]

If this is done, using the OpenID Connect protocol would be great.

[tehp]

Any word on this? +1

[RiotTuxedo]

Recently answered this question in #office-hours on our Discord, but here's the overview:

RSO is working, just not widely available yet. The OAuth clients are manually managed right now. You'll see RSO popping up with a couple partners. It's mostly being used for business reasons right now, but the goal is to eventually automate the process of generating RSO clients and hopefully integrate that process into the Developer Portal. I don't think RSO will be available before the end of the year. We're slowly but surely moving the the right direction.

[jhoniscoding]

Hi guys! My team and I would like to know about this feature request, it's been like 6 months since the last response in this thread. Any advance on this?

We hope this could be done so we can use this feature in a product we want to build.

Thanks :)

[hundeva]

I opened the issue here after the original developer forum closed down. I started a thread on that forum as well, so the first time I asked this was about 5 (or so, not sure) years ago. Back then, no OAuth was available at all. The response for that thread was that they will evaluate it, and once OAuth is available, they will see if it can be opened to the public.

Now, for a long time, OAuth is available, but closed to the public. If I would have to guess, they don't have the manpower, or just don't want to implement this, either way, I would not hold my breath for this.

[Token07]

https://discordapp.com/channels/187652476080488449/345329525455978498/680541666859679850

Here to bug you on monthly oauth progress We'll be talking about public RSO clients soon tm but the high level is that we are going to start opening the doors for developers to apply for an RSO client but the bar starting off will be REALLY high, to the point where I'd expect 99% of applications to be denied. As time goes on, there becomes more use-cases for RSO clients and endpoints for access tokens, I expect that bar to gradually get lower.

This is the last update we got regarding OAuth on Feb 21.

[jhoniscoding]

:O Thanks a lot for the quick reply! So we'll keep waiting for this!

Thanks guys

[JonnyBDev]

Time to bump it up after over two years. What's the status for RSO? Any new information on this topic @RiotTuxedo ? Would like to integrate this feature into my application really bad.

[Token07]

Have you been keeping up with the discord and/or Twitter? There's been a few updates such as this one that have been posted.

[JonnyBDev]

Hello. I researched this topic a bit but couldn't find this information. I recently joined the discord for this because the old link provided above was deprecated.

But thanks for your input, really helps us!

[Ponita0]

@JonnyBDev #rso-dev channel in Discord server can walk u through it

[tisbells]

Closing out old issues, RSO exists now

[aecorredor]

@tisbells how does one get access to RSO? I'm already signed up for the developer portal and am in the process of getting a production API key. Is this under a beta program?

[ghost]

You should find all necessary information in the FAQ here: https://developer.riotgames.com/docs/faqs#_rso-riot-sign-on