Custom Photon Authentication Token via Azure Function

Question

question

David James asked Jul 31, '23

Custom Photon Authentication Token via Azure Function

I'd like to be more restrictive in who can call Playfab's built-in "GetPhotonAuthenticationToken" to just server rather than client, using an azure script. I'm wondering if this is the right approach?

The way I see it I could use Playfab's provided login like steam to get a valid session, send that to the "server" (function) which checks if the player is eligible to request a photon token.

As far as I'm aware Playfab allows clients to request a token just as long as they're logged in; whereas I have a unique situation where I only want to allow the player to login, but under a different set of rules choose whether to allow the client to actually create a photon session (host a lobby / use CCU)

That's where creating custom authentication came to mind, because it feels like I need to separate login authentication vs photon session tokens. (this is a design question I guess)

Is this possible? I know photon has a page detailing that you can send data to a web service instead of using playfab to authenticate (which again, is just asking if we're logged in right?)- but I'm wondering how it all ties into playfab specifically, if photon can even use azure addresses for custom authentication, etc.. just need some help connecting the dots.

Thank you in advance for any insight.

apis CloudScript Authentication photon

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Answer 1 · 2023-08-01T05:27:03Z

Xiao Zha answered Aug 1, '23

You can call the GetPhotonAuthenticationToken API on the Azure Function and add some eligibility check steps before calling the API. However, this won’t actually block any hackers as they are still able to call GetPhotonAuthenticationToken on client directly.

3

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

David James commented · Aug 01, 2023 at 04:34 PM

Is that because I have the function authorization set to Anonymous rather than Function?
If that's not all, could you advise what else I need to do to make the app secure beyond doing that and locking all other playfab login methods (besides steam) with Admin api? That's all I can think/know to research.

Right now the internal flow for client is:

Login with the client steam api->
Verify user license, update an internal stat for steam license/ban status etc->
Upon requesting a token, ensure the user session is valid (AuthenticateSessionTicket), return photon result.

This seems to me secure enough, because even if they call the function directly, without a license it will just return null.. You're saying the functions themselves need to be protected from the chance bad parties want to spam the function, inject something somehow which, upgrading the authorization level would fix yes?

0 ·

David James commented · Aug 01, 2023 at 05:17 PM

Please note: Nowhere in my client code do I provide the azure function's name responsible for requesting a photon token; it's not being called by playfab's client api, It's being called by Photon using their custom authentication web server.
All the client code knows is the name of parameters photon will pass to the function like user/session ticket.

Their server calls the azure function, who's address is assigned in photon's secure dashboard and awaits response from the function, and provides a response to client but client is totally ignorant of where their request goes so it should be OK right? Maybe I'm misunderstanding as well, because you say they could call GetPhotonAuthenticationToken using the client api, but that requires assigning playfab as the authentication provider in the photon dashboard, but I've configured it to use the function instead. Plus with Admin API would I not be able to disable certain API calls ? Sorry for all the questions !

Would love to know your thoughts on this obviously authentication is a big deal I want to do the best I can.

0 ·

Xiao Zha David James commented · Aug 02, 2023 at 09:53 AM

If you follow the Custom Authentication | Photon Engine to configure the authentication provider with your function instead of using playfab as the authentication provider, the token returned by GetPhotonAuthenticationToken API cannot be authenticated by your function, so you don’t need to worry about the Client GetPhotonAuthenticationToken API being exploited by hackers.

1 ·

Answer 2 · 2023-07-31T07:03:01Z

David James answered Jul 31, '23

Looks like photon will accept the function url and post just fine, no worries! For some reason I thought linking the two together would be more complicated, though it is barebones.

 public enum ResponseCode
 {
     Incomplete = 0, // Only Data returned
     Success = 1, // All result returned
     Failure = 2, // Nothing returned
     InvalidParam = 3 // Nothing returned
 }

 public static class RequestPhotonToken
 {
     [FunctionName("RequestPhotonToken")]
     public static async Task<dynamic> Run4(
         [HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = null)] HttpRequest req,
         ILogger log)
     {
         var requestJson = await req.ReadAsStringAsync();

         log.LogInformation($"RequestJson: {requestJson}");

         var debugResult = new FunctionResponseContext<dynamic>()
         {
             ResultCode = 3,
             Description = "Invalid parameter"
         };
         var debugResultJson = JsonConvert.SerializeObject(debugResult);

         log.LogInformation($"DebugResultJson: {debugResultJson}");

         return new OkObjectResult(debugResultJson);
     }
 }

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

question