[BUG] Unable to revoke app permissions

Some users are finding that newly authorized third party apps are not showing up in their authorized application list.

This is leaving them unable to revoke permissions.

This is particularly troubling both from a security footing as well as the fact that some users of various third party apps have unchecked required permissions such as the wow.profile scope and when they go to fix it by revoking the app and redoing the client authentication flow they are unable to.

This issue seems to only affect new users, and started in the last week. I have been unable to replicate this on my main battlenet account by removing my apps and re-authorizing. But many users across various apps have been reporting this issue in the last week and they are all first timers

6 Likes

Do we happen to have any update on this one?

yeah he did find one & it worked for me, here you go:

Deadlystrike

So first of all… i know it doesnt need to be said but… DO NOT UNCHECK THE BOXES THIS TIME
Step 1: Head over to blizzards website and logout… completly
Step 2: Get a new !auth link Once you open the link… DONT LOGIN OR CLICK ANYTHING… Step 3: In your browser in the address bar… change us.battle.net to eu.battle.net - Hit enter and let the new page load up Step
4: You should now be asked to login again to blizzard and should get the permissions prompt(modifié)

& btw guys there is 2 us.battle.net that you need to modifie not only one & it’s kr.battle.net that worked for me

This is really annoying, people sure like to randomly uncheck the box and I can’t even get them to revoke now :cry:

Just to expand a bit more on the “workaround” for other app developers.

The access token you get back from the User Authentication Flow is not locked to any specific region. You can query all regional endpoints with any valid token.

Thanks to a quirk with blizzard setup. App Authorizations are region specific. So as a US user if you have only been using the US gateways, attempting to go to the EU gateway will prompt for authorization again. So regardless of whether the user only plays in the US or any other region, there is no harm in redirecting to a different region for your OAUTH flow.

As a note, this workaround does not “fix” the bug. It simply acts as a second chance. If the user for some reason still un-checks the box in the other regions they are once again bricked.

In my app (A discord bot) we implemented a --workaround flag into the command that we use to link accounts. When this flag is present, instead of automatically routing the user to the best regional OAUTH endpoint, we render out all 4 regional choices to allow the user to choose. In addition to making it very clear that they must not un-check the box

1 Like

Apologies for the delay. No updates here yet, but we are digging into this. Thanks for surfacing this issue!

Thank you for your patience! A fix was recently released to correct this problem. Please let us know if this behavior persists.