Is this a bug? (GetCatalog)

Question

question

brendan asked Oct 7, '15

Is this a bug? (GetCatalog)

darkgolemgames
started a topic on Thu, 05 March 2015 at 7:58 PM

I'm getting the following error when trying to retrieve a catalog. I've had this error before but can't remember how it become resolved.

IAP : Error retrieving catalog: X-Authentication HTTP header contains invalid ticket

UnityEngine.Debug:Log(Object)

IAP.Inventory:OnPlayFabError(PlayFabError) (at Assets/Scripts/IAP/Inventory.cs:72)

PlayFab.<GetCatalogItems>c__AnonStorey34:<>m__2A(String, String) (at Assets/Imports/PlayFab/PlayFabSDK/Public/PlayFabClientAPI.cs:982)

PlayFab.Internal.<MakeRequest>c__Iterator3:MoveNext() (at Assets/Imports/PlayFab/PlayFabSDK/Internal/PlayFabHTTP.cs:53)

This is the code that gets the catalog:

                void Retrieve (string authKey = null)
                {
                        GetCatalogItemsRequest request = new GetCatalogItemsRequest ();
                        request.CatalogVersion = catalogVersion;
                        PlayFabClientAPI.GetCatalogItems (request, Build, OnPlayFabError);
                }

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Answer 1 · 2015-10-07T07:24:00Z

brendan answered Oct 7, '15

12 Comments
Brendan Vanous said on Thu, 05 March 2015 at 8:22 PM

That means that your Session Ticket for the user has expired (they only last 24 hours), or that it was changed (making it invalid). Logging in the user would obtain a fresh Session Ticket.

johntube said on Fri, 06 March 2015 at 4:52 PM

Brendan,

I don't know why such important detail was not mentioned "explicitly enough" in a frequently visited page of the docs/website.

And IMO token refresh should be automatic and transparent inside the SDK ! Because the alternative would be to cache each request somehow (as you lose access to it in the callbacks) and in the error callback, check if the error is InvalidTicket (I'm not sure about the error name) and re-login and in the login callback check if there is a cached request and if so resend it !

Brendan Vanous said on Sat, 07 March 2015 at 6:16 PM

Security tokens, by their nature, always have an expiration. This expiration time is going to vary over time, which is why services generally don't call out their specific values (titles written to expect a certain lifetime for the ticket would then have errors, if it changes). This is the standard, but it's a fair point that someone with no familiarity with online services would not be aware of this - we'll add it to the login documentation.

The problem with automatically going through the sign-in process when the ticket expires is that this may be disruptive to the gameplay experience (as it may need to pop a sign-in dialog), as well as cause unexpected delays. Right now, our SDK is designed to give the developer all the information needed to decide on the correct next steps based on their needs - always returning an invalid session ticket when that is the response to the call.

darkgolemgames said on Sat, 07 March 2015 at 6:55 PM

Thanks guys.

I couldn't figure out that invalid header meant the security token had expired and I thought checking "keep session key" would make it not expire or retrieve a new one upon expiry.

But now that I know, the problem is fixed so thank you. :)

johntube said on Sat, 07 March 2015 at 7:24 PM

Hey Brendan,

The GetCatalogItems documentation page like all other Client API requests docs does not indicate such error code (InvalidTicket) :

I'm not an expert on Online Services neither an amateur. I remember asking you about Token expiration and Token refresh on another thread.

Please correct me if I'm wrong : the token will expire ONLY when no requests are made within 24 hours ! The token should be refreshed at least once per day when the user is making a request to PlayFab servers. If not, then we have a serious problem !

As darkgolemgames already mentioned, the keep session key boolean flag is misleading. Its purpose is to cache the session token in Unity's PlayerPrefs so it will be retrieved when the user reopens the game so he/she won't need to go through the login process multiple times between app pauses.

Brendan Vanous said on Mon, 09 March 2015 at 2:05 PM

Yes, I've entered a bug to get the error return listed for all Client API calls which require authentication.

But no, the assumption that the session ticket will remain valid or be refreshed if you make any calls within the 24 hour period before the ticket expires is incorrect. The way our ticket system works is that upon successful authentication, you get a session ticket which is valid for a 24 hour period. This way, if a ticket is compromised (if a user loses his device, for instance, and the person who finds it has reasonable technical skills), it has a reasonably short window in which is can be re-used. We're considering making this timeout configurable - specifically because we have had requests to make it shorter - but whatever time set would still be finite, so the case of an expired ticket does need to be handled by the title gracefully. We do not force-authenticate the user on an invalid ticket return value, as that could interfere in your game's flow.

We'll get the Unity SDK updated to ensure that the keepSessionKey boolean is more clearly documented.

johntube said on Mon, 09 March 2015 at 3:57 PM

I don't know why Facebook is going crazy with an "up-to 60 days long-lived token" ! Or I'm missing something here.

Brendan Vanous said on Mon, 09 March 2015 at 4:26 PM

I wouldn't describe Facebook as crazy at all, they simply have a different system, with different requirements. A major difference is that games running in Facebook are sub-frames of the Facebook experience itself, whereas games using PlayFab control the user experience completely.

It's also worth noting that their long-term tokens can also expire at any time without warning, so handling errors caused by expired tokens must still be handled correctly.

johntube said on Mon, 09 March 2015 at 5:09 PM

When I mentioned the lifetime of the long-lived facebook token I wasn't thinking about facebook apps or games but the token itself which can be used for OAuth like with PlayFab.

I want to link this thread with the one about Device Authentication as they're somehow related. There is no need for device authentication when a user is signed in to the game with Facebook as the Facebook SDK for Unity allows, via "managed" token, to login to PlayFab "transparently, implicitly" at any time unless the user logs out explicitly. Same thing with Google I think, I don't know about Steam, GameCenter or PSN but the problem is with users logged in with email.

Brendan Vanous said on Wed, 11 March 2015 at 7:03 PM

Correct, and yes, Steam as well. GameCenter doesn't allow for this. Consoles (both PSN and Xbox Live) have an OAuth-like system as well, so they can be used this way. Device authentication is simply what we point to as the most universally general-purpose, since you can't always rely upon the user having Facebook (or other services) as well.

brainbeat.club said on Sun, 10 May 2015 at 12:50 PM

I read the whole thread, but it is still not clear to me how gracefully to handle the case of expired ticket?!

What should be done if for example, the ticket expires in the middle of the game during player's move?

Brendan Vanous said on Mon, 11 May 2015 at 9:27 AM

In short, any Client API call (apart from login) may return a token expired error. In that case, you would need to re-authenticate the player, using one of the available login API calls. In all cases, using the lowest-impact call is advisable (ex: the Device ID login calls do not require any player interaction).

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

question

Is this a bug? (GetCatalog)

1 Answer

Write an Answer

Navigation

Spaces

question details