Posted February 10, 2017
Seems like it. I tried the projects I have that use authentication and they have the same result.
Yepoleb: Crap, they changed the way authentication works and it only allows registered URLs now. As we have no way to register our own clients, this makes everything a lot more complicated. I'll try to figure something out as soon as possible.
You know, there was a serious security problem with the way it had been working. You could have a website which used auth.gog.com to allow users to log in and they would think it was similar to logging into a site through Steam. In fact, GOG's auth page is completely different. If you log into a site through Steam all you're doing is proving that you are the owner of that Steam account. With auth.gog.com you are actually authorising a token that gives the site near-complete control of your GOG profile - but very few people would expect that behaviour so it would be perfect for scamming. (although to my knowledge nobody has tried this so far).
This risk has been bothering me for a while and I actually decided just a moment ago to come to this very thread to warn about signing into strangers' sites through auth.gog.com and suggest that GOG limit authentication to certain registered domains. It's quite a coincidence to come here just a few hours after jamieadkins95 discovered that that had already done this.
It's a good thing, really, but it also sucks because now we lack 2 important services: a way for our custom tools to access our accounts, and a way for users to verify their accounts to 3rd party sites without handing over the keys in the process.
Well, I guess it's time to go back to trying to reverse-engineer Galaxy to see how it's done there.