Incomplete OAuth Implementation

[Bryce-Dixon]

This is a serious hole in the website's functionality. I love Itch as a distribution platform, but as a marketplace the inability for a program to do a check as simple as "does the current user own this" is pretty ridiculous.

This is now 6 years since the "launch of OAuth" for Itch, but it's only use is still getting the current user's profile.

Things Missing or Incorrect:

• The OAuth documentation is missing the fact that the request URI must in include response=token as a query parameter. See #918
• Lack of support for game, game:view, and game:view:purchases scopes. See #1121
• Incorrect description for profile scope in OAuth request page (it states that profile scope gives access to the user's game library and purchases)

I really appreciate Itch and don't want to come off as entitled, but it's extremely misleading to have multiple pages on the site claiming this functionality exists and then a single (easily missed) line near the bottom of one documentation page that clarifies "this is actually mostly useless." It seems from the rest of the documentation that Itch would rather us use JWT keys and ask users to download the official app (which isn't totally ideal for all situations), but if that's the case, then I'd like to recommend the complete removal of OAuth rather than continuing to give people false hopes.

[martinopiaggi]

I've encountered similar issues with the game:view:purchases scope leading to a 404 error, highlighting a gap in the current OAuth implementation. Any new discoveries or updates? Thanks

[markus-seidl]

Note: Since some time you need response_type=token instead of only response.