What does that enable someone to do that they can't do with the public API?
[GUIDE] Applying for OAuth access
Sort:
stephen_33 wrote:
What does that enable someone to do that they can't do with the public API?
OAuth, DDG what that is.
stephen_33 wrote:
What does that enable someone to do that they can't do with the public API?
OAuth allows you to autjenticate to a 3rd-party domain and authorise it to give your private information to a 1st-party domain.
In this case, for example, a twitch bot running in the context of twitch.com (the 1st-party domain) could use chess.com (3rd-party) OAuth server to request and obtain your chess.com information if you authorise chess.com (via submitting your credentials) to fulfill that request. So it has different use cases than the chess.com API; e.g., the twitch bot could obtain your chess.com username from chess.com and trust that it's your (and not anybody else's) username because you needed to authenticate to chess.com to complete the request, yet you did not need to give your chess.com password to the twitch bot.
Oct 23, 2021
0
#6
It's official. But we are just starting with the process, so it's taking a little time to get it up and going.
hug_onun wrote:
Where did you find it? I want to make sure it's an official form.
CEO of Chess.com answered below.
In an email I got it, figured it'd be faster if I did it.
erik wrote:
It's official. But we are just starting with the process, so it's taking a little time to get it up and going.
The form made my gmail anonymous. How do you reply when this happens?
Also, redirect URL within my application ( discord bot ) is auto generated which should be for almost every application.
Oct 23, 2021
0
#9
WhiteDrake wrote:
OAuth allows you to autjenticate to a 3rd-party domain and authorise it to give your private information to a 1st-party domain.
In this case, for example, a twitch bot running in the context of twitch.com (the 1st-party domain) could use chess.com (3rd-party) OAuth server to request and obtain your chess.com information if you authorise chess.com (via submitting your credentials) to fulfill that request. So it has different use cases than the chess.com API; e.g., the twitch bot could obtain your chess.com username from chess.com and trust that it's your (and not anybody else's) username because you needed to authenticate to chess.com to complete the request, yet you did not need to give your chess.com password to the twitch bot.
Interesting - thanks. Does it enable users to obtain data that isn't currently available via the site's API?
stephen_33 wrote:
WhiteDrake wrote:
OAuth allows you to autjenticate to a 3rd-party domain and authorise it to give your private information to a 1st-party domain.
In this case, for example, a twitch bot running in the context of twitch.com (the 1st-party domain) could use chess.com (3rd-party) OAuth server to request and obtain your chess.com information if you authorise chess.com (via submitting your credentials) to fulfill that request. So it has different use cases than the chess.com API; e.g., the twitch bot could obtain your chess.com username from chess.com and trust that it's your (and not anybody else's) username because you needed to authenticate to chess.com to complete the request, yet you did not need to give your chess.com password to the twitch bot.
Interesting - thanks. Does it enable users to obtain data that isn't currently available via the site's API?
I guess it does, in a way, but the use case is different.
Let's say I want to know which clubs you're a member of. I can ask the chess.com REST API and I don't need your cooperation.
Let's say I want to know something about you that chess.com makes accessible through OAuth, like the text on your profile page (I'm not sure if chess.com currently makes that accessible via OAuth but it seems like a good OAuth example). Now I (or my web site) need to present an OAuth challenge to tou, which redirects you to chess.com where you authenticate with your credentials and confirm to chess.com that you agree that your profile text gets shared with me, after which you get redirected back to me/my web site.
The REST API allows you to get a lot of data without this OAuth dance. However, it doesn't allow people to prove to your twitch bot that they own a given chess.com account. OAuth also could be used for shenanigans like signing into a web site at example.com with your chess.com account, without sharing your chess.com password with example.com - although, OAuth wasn't designed for this.
Oct 25, 2021
0
#11
WhiteDrake wrote:
stephen_33 wrote:
What does that enable someone to do that they can't do with the public API?
OAuth allows you to autjenticate to a 3rd-party domain and authorise it to give your private information to a 1st-party domain.
In this case, for example, a twitch bot running in the context of twitch.com (the 1st-party domain) could use chess.com (3rd-party) OAuth server to request and obtain your chess.com information if you authorise chess.com (via submitting your credentials) to fulfill that request. So it has different use cases than the chess.com API; e.g., the twitch bot could obtain your chess.com username from chess.com and trust that it's your (and not anybody else's) username because you needed to authenticate to chess.com to complete the request, yet you did not need to give your chess.com password to the twitch bot.
That's a great explanation, 100% on target. Our Pub API doesn't require any tokens and you can obtain a variety of user data. What public API cannot provide is a guarantee that the user who is accessing your app is an actual Chess.com user. OAuth Server can, and for that very reason we decided to expose it for those who need that functionality for their apps.
Oct 25, 2021
0
#12
Eyal282 wrote:
erik wrote:
It's official. But we are just starting with the process, so it's taking a little time to get it up and going.
The form made my gmail anonymous. How do you reply when this happens?
Also, redirect URL within my application ( discord bot ) is auto generated which should be for almost every application.
Redirect URI shouldn't be problematic. I'm not sure how bot integration works, but in general, any OAuth Server needs to redirect user somewhere upon approval so that apps gets the authorization code that it can exchange for ID, access and refresh tokens.
I've found this tutorial that explains the concept, although it uses naive, impractical example for redirect URI.
nikolaposa wrote:
Eyal282 wrote:
erik wrote:
It's official. But we are just starting with the process, so it's taking a little time to get it up and going.
The form made my gmail anonymous. How do you reply when this happens?
Also, redirect URL within my application ( discord bot ) is auto generated which should be for almost every application.
Redirect URI shouldn't be problematic. I'm not sure how bot integration works, but in general, any OAuth Server needs to redirect user somewhere upon approval so that apps gets the authorization code that it can exchange for ID, access and refresh tokens.
I've found this tutorial that explains the concept, although it uses naive, impractical example for redirect URI.
Alright, good to know. I already applied, when do I get a token?
Oct 25, 2021
0
#14
Eyal282 wrote:
Alright, good to know. I already applied, when do I get a token?
Could you please edit the response you already sent or submit a new one with redirect URI in it? As soon as we have that, OAuth client for your app will be created, you'll get client credentials so you can start using OAuth immediately by following our Getting Started document.
By the way, do you need client secret, can you safely store it in your app? Is it JavaScript app, code is on the client side? Client secret is recommended, but optional, you can use PKCE instead. It is recommended only so that someone else cannot fake your app to request access from our users while pretending to be your app.
nikolaposa wrote:
Eyal282 wrote:
Alright, good to know. I already applied, when do I get a token?
Could you please edit the response you already sent or submit a new one with redirect URI in it? As soon as we have that, OAuth client for your app will be created, you'll get client credentials so you can start using OAuth immediately by following our Getting Started document.
By the way, do you need client secret, can you safely store it in your app? Is it JavaScript app, code is on the client side? Client secret is recommended, but optional, you can use PKCE instead. It is recommended only so that someone else cannot fake your app to request access from our users while pretending to be your app.
It's a bot, so I believe it's okay.
How can I use OAuth without the secret key? It just won't work, no?
Oct 25, 2021
0
#16
Client ID is required, but client secret is optional for public clients. See: https://oauth.net/2/client-types/
Bump, please pin this as looking for this in Duck Duck Go fails.
Jul 9, 2023
0
#18
question: is the public API enough if I want the deep data like
-the countries of opponents a player has played against, to see kinda like the OLYMPICS OF CHESS a player has went through
-results in career on chess.com in each format of play (stats from my diamond account analysis for example)
- Player's league stats of a player compared to the players of chess.com
(as in a NHL player's career stats , not viewable in the chess.com player's league pages anywhere, so I'd build my interface using the API for this
While I am clearly not Chess.com staff, I finally found the official application form. Could not find it anywhere else so here you go:
https://forms.gle/RwGLuZkwDysCj2GV7
Edit: Official Documentation for after the application is successful below:
https://chesscom.notion.site/Getting-started-with-Chess-com-OAuth-2-0-Server-5958e57c8c934a3aa7abda2d670969e8