We recently received this email from a Discord employee complaining about the fact we do ‘silent’ authentication of end user tokens, even though we do not send any user tokens to our backend (but only an OAuth token with explicit scopes), they still seemingly got upset by the fact that we do this silently and disabled the OAuth application that was required to do silent granting.
The alternative (explicit account linking based on browser sign-in) is not suitable for FiveM, and the ‘in-client’ consent prompt using RPC is not available except for Discord-published games (no longer a thing) and specific partner applications (such as Logitech G HUB) - it’s unlikely they will grant this to us.
It should be noted that we only used the OAuth token method to prevent having to do worse, namely implement the practical equivalent of a ‘token stealer’ in the FiveM client, and doing identity verification server-side based on the auth token obtained directly: you should not want this as end user, Discord should not want this and even though we won’t save a token if we do choose this path (nor abuse it during transit) it is considered highly unsafe but it might be the only path forward if Discord does not choose to let us perform normal OAuth grants like their partner applications do.
Again, I repeat: this OAuth token granting method, while apparently detectable and blocked by Discord, is the only safe way we can guarantee this identifier; the alternative would be way riskier and if we want to continue providing a silent identifier we can definitely opt to do so this way: it’s a lose-lose-lose for all parties involved.
It should also be noted from the original announcement: