OAuth2: Scope to access basic info about applications and bots the user owns

[MattIPv4]

I think the ability for sites to request access via an OAuth scope to access basic information about the applications and bots a user owns (id, name, discriminator, avatar, created etc.) would be super beneficial for many sites.

For bot lists this could allow them to provide a quicker means to the user of getting their bots listed as they could automatically fill out the id and name for example. For my own project, BotBlock, the functionality would be incredibly useful (and was where the idea came from), so that I could provide a list fo the user's bots for each bot list and indicate whether they had been listed there or not.

I understand this might be seen as some sort of possible security issue, similar to how bot owner isn't revealed in the API, but I hope as an OAuth2 scope the consent required by the user would be enough to allow it.

[LikeLakers2]

I understand this might be seen as some sort of possible security issue

I see it as a security issue, unless if the user in question can somehow choose which bots/applications the scope allows the app to see. If they can choose, then I have no issue with this.

For example, if I have some personal bots that I occasionally let friends add to their servers, I wouldn't want some random service being able to see them ever, even in times where I might have to temporarily set the bot to be a public bot to allow a friend to add it.

Again, if the above were done (allowing the user to choose which bots/applications are visible to the scope), then I would be in support of the idea. Otherwise, no.

[MattIPv4]

can somehow choose which bots/applications the scope allows the app to see

Maybe something like the permissions check boxes for a bot invite, but a check box next to each application on the OAuth screen?

[LikeLakers2]

Yeah. Perhaps I'm thinking a little too much into it, though. I just feel there should be some way to limit which bots/apps the scope shows, even if it's not through the method you suggested.

[A5rocks]

+1, another use case is confirming person xyz owns application abc, and also meta-application things where you can program a bot (this is useful over just asking for client id for the above as you don't have to worry about the difference between bot id and application id, for example).

[Asleep123]

I also need this to confirm that someone owns a bot.