We recently received this email from a Discord employee complaining about the fact we do ‘silent’ authentication of end user tokens, even though we do not send any user tokens to our backend (but only an OAuth token with explicit scopes), they still seemingly got upset by the fact that we do this silently and disabled the OAuth application that was required to do silent granting.
The alternative (explicit account linking based on browser sign-in) is not suitable for FiveM, and the ‘in-client’ consent prompt using RPC is not available except for Discord-published games (no longer a thing) and specific partner applications (such as Logitech G HUB) - it’s unlikely they will grant this to us.
It should be noted that we only used the OAuth token method to prevent having to do worse, namely implement the practical equivalent of a ‘token stealer’ in the FiveM client, and doing identity verification server-side based on the auth token obtained directly: you should not want this as end user, Discord should not want this and even though we won’t save a token if we do choose this path (nor abuse it during transit) it is considered highly unsafe but it might be the only path forward if Discord does not choose to let us perform normal OAuth grants like their partner applications do.
Again, I repeat: this OAuth token granting method, while apparently detectable and blocked by Discord, is the only safe way we can guarantee this identifier; the alternative would be way riskier and if we want to continue providing a silent identifier we can definitely opt to do so this way: it’s a lose-lose-lose for all parties involved.
It should also be noted from the original announcement:
So sorry if this sounds dumb, but I have to ask, will this mean scripts such as Discord Perms and any script involved with discord is useless and irrelevant? Will there be a fix for this?
Probably only if Discord cooperates, but if not we do have another trick up our sleeve (but it’s a lose-lose-lose for everyone, as said in the topic above).
It’s just inconvenient for servers with over 15000 members to use Steam IDs and such for permissions, but hey we will do whatever it takes! We will prevail and nothing the CFX can do about it sadly
Ah we can still use FiveM identifiers and create some sort of in-game menu to add to groups so it becomes much easier but i really think there will be a way around this
Wow. This is a big move on Discord’s side. I know a lot of the friends I still have in their offices are big supporters of this project (FiveM). I am unsure why they decided to move on this now.
Possibly someone complained on it in an attempt to wreck havoc against the Collective
If it is a consent problem… can’t u just add an option into fivem settings to let users choose if use discord or not? Servers will ask users to grant access to the discord identifier or they won’t be able to play
thing with that is the API to allow users to be asked without a weird login flow is not available either unless you’re a partner having whitelisted RPC access
also again, for various reasons that are not relevant here using the browser auth flow is not a viable solution.
I’m interested to see where this goes, it’s unfortunate that Discord has chosen to go this route, considering the vast majority of FiveM servers seem to now use some form of Discord-integration (I may be wrong, so don’t quote me on that.) I am happy that this was posted in an efficient manner, I had been messing with my Discord-based permissions script, assuming I had personally messed something up.
When you speak of a weird login flow, would you mind elaborating a bit more on that, I’m curious as to whether or not you mean you’d have to log-in to Discord each time you joined a FiveM server using an integration, or whether that means you’d just have to log-in through Discord each time you launch FiveM.
I’m personally hoping, for the sake of simplicity, that Discord will allow CitizenFX to continue using their current method of integration, but if they do not I am also curious about what the new method would entail, and would it result in the deprecation of all current integration scripts?
Either way, thank you for your time and help, I hope this gets resolved soon.
yes, because that doesn’t have a desktop app and it’s a first-party identifier. there’s no reason authenticating with a 3PID associated with a desktop app should require any interactive re-login flow especially given how other companies (Steam, Microsoft) don’t seem to have issues with this - it’s just discord being a snowflake
if a third-party identifier can’t be made silent, we won’t offer said identifier; easy as that
Ah, they started growing braincells, but they are using them wrongly… fix your own shit before u complain to other shit discord, i remember you guys where running some sketch ass program on pcs and y now u cry about silent auth
