Api: Add an ability for the Authentication to permit bypassing the three legged authentication for headless/automated applications.

Created on 18 Sep 2018 · 7Comments · Source: Bungie-net/api

I would like to write some headless automation tools, such as a Twitter Announcer that pulls vendor information (what each vendor is selling) from the protected character space, and announce it. There are additional headless systems I would imagine could be beneficial which are prevented from working due to the three legged authentication method requiring human interaction when accessing character restricted endpoints.

If a method, for example with a "Confidential" application, such as "Restricted To User" check box could be implemented that would only permit the application to run against the user who has registered the application, which could then bypass the three legged authentication (that is, simply use the API Key, App ID and Client Secret) and only perform operations on users characters.

If this can already be accomplished, then perhaps I'm missing something in how to implement it.

enhancement investigation

Source

Xesyliad

Most helpful comment

Indeed, currently there's no headless authentication through our "official" authentication channels. I think it's an interesting idea! There's a nontrivial amount of work we'd have to do to spin up that capability though, which means it's going to have to end up fighting with other items on the backlog.

What might be more likely for us to be able to give to you would be a "public" vendors access point, that gives data for vendors who we know have the same inventory across all users. That's something I've been wanting to add for a while, though that too has been sitting on the backlog for a bit. There's a larger # of people who have been requesting that though, so I may be able to make a stronger fight for that feature.

If we had that, would it work for you?

vthornheart-bng on 18 Sep 2018

❤4

All 7 comments

As a note: you could have the user auth once, store the refresh token, then just make sure it was renewed every 90 days. That should give you all that you need by way of authentication even if you needed to ask them again every few months.

ckhicks on 18 Sep 2018

I would like a fully headless method, that is a terminal script with no UI elements to complete an authentication process to store the refresh token.

Xesyliad on 18 Sep 2018

If we had that, would it work for you?

vthornheart-bng on 18 Sep 2018

❤4

A public endpoint for VendorItems would be great to automate those kinds of things for sure, that would be great.

I would still love an authentication method like I described to do some background automation on characters, but a public VendorItems would be a great tide me over till something else gets implemented too.

Thanks.

Xesyliad on 18 Sep 2018

CK’s suggested method will work perfectly without user input beyond the initial setup for one year, after which Bungie requires the user to reauth the application.

On Sep 17, 2018, at 19:14, CK Hicks notifications@github.com wrote:

As a note: you could have the user auth once, store the refresh token, then just make sure it was renewed every 90 days. That should give you all that you need by way of authentication even if you needed to ask them again every few months.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

floatingatoll on 18 Sep 2018

👍1

Aye, that was the old school, pre-OAuth way. Though not officially supported, you can definitely take that approach and it should work well for you!

vthornheart-bng on 18 Sep 2018

Yeah, I'm using that for some cloud functions that do the same thing. Ask for permission once, explain the process to the user, then handle the token refresh behind the scenes to keep basic info up to date.

That said...a public Vendors endpoint would be AMAZING! 🍻

ckhicks on 18 Sep 2018

Was this page helpful?

0 / 5 - 0 ratings