I'm doing a deep dive evaluating PlayFab for my online, HTML 5 game. I have the requirement of being able to use a number of different auth providers, most of which you support, but Twitter isn't one of them. I'm looking to see how it might fit in, and these two APIs look promising:
From my previous integration with Firebase Auth, I have the necessary OAuth flow working on my server (they support Twitter, but not Twitch). My only issue is this: with both of these APIs, they're available via the Client API -- meaning that anyone with the title ID can issue these calls, unlike the LoginWithXXX calls which authenticate via the passed access token.
There's a couple of schemes I could employ here, such as issuing and verifying a signed identifier (using a secret stored on my auth server) as the CustomID, but before delving too deeply into this, I wanted to ask to see if I was understanding the system correctly, and if there might be a better option here.
P.S. The game is currently up at http://survive.courtland.org -- using Firebase Auth. You have the option of playing with your twitter handle (or anonymously), which means when you kill someone, it can say "killed by @yourtwitterhandle).