question

court avatar image
court asked

OAuth: Additional Providers

Hi -

I'm doing a deep dive evaluating PlayFab for my online, HTML 5 game. I have the requirement of being able to use a number of different auth providers, most of which you support, but Twitter isn't one of them. I'm looking to see how it might fit in, and these two APIs look promising:

https://api.playfab.com/documentation/Client/method/LoginWithCustomID

https://api.playfab.com/documentation/client/method/AddGenericID

From my previous integration with Firebase Auth, I have the necessary OAuth flow working on my server (they support Twitter, but not Twitch). My only issue is this: with both of these APIs, they're available via the Client API -- meaning that anyone with the title ID can issue these calls, unlike the LoginWithXXX calls which authenticate via the passed access token.

There's a couple of schemes I could employ here, such as issuing and verifying a signed identifier (using a secret stored on my auth server) as the CustomID, but before delving too deeply into this, I wanted to ask to see if I was understanding the system correctly, and if there might be a better option here.

Thanks!

-Courtland

P.S. The game is currently up at http://survive.courtland.org -- using Firebase Auth. You have the option of playing with your twitter handle (or anonymously), which means when you kill someone, it can say "killed by @yourtwitterhandle).

apisAuthentication
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

2 Answers

·
1807605288 avatar image
1807605288 answered

In general it would be neither safe nor reliable to use any Twitter credentials or tokens as a customID.

A proper token expires, which means it can't be used for more than a certain number of hours. After that, it's useless. And any durable/secure information shouldn't be stored in customID, as that's unsafe, violates most privacy guidelines, and almost certainly violates COPPA.

Twitter OAuth is likely something we will get to eventually, but it is not on the immediate roadmap.

I can't promise any ETA at this time, sorry.

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

court avatar image
court answered

@PaulGilmore Thanks so much for the answer! I wasn't actually intending to store the Twitter OAuth token in the CustomID field, but rather a signed record of the fact that I know they're authenticated as the given user.

I recently discovered the 24-hour session token timeout, so I'm changing my approach a little bit: I'm going to continue using firebase as my auth provider. I'll be using the CustomID, as recommended in the documentation, as a way to map from the firebase account to a PlayFab session.

The CustomID itself will be a signed string in the form 'firebase-{firebaseId}.{HS256 signature}'. Only my auth server will know the key used to create the signature, and clients will never see the Custom ID itself -- they'll make a request to my auth server with the firebase credentials and be given back a SessionTicket which can be used to access PlayFab directly.

While this won't prevent clients from being able to create random accounts with LoginWithCustomID (would love for an option to make this a Server-only API), I will have a verifiable path for any of the accounts I create, and I'll be able to use all of the PlayFab goodies!

Thanks

-Courtland

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.