question

joel-2 avatar image
joel-2 asked

Will PlayFab allow many client logins from our backend server?

We have a requirement that users should be able to log in with e-mail and password, and the e-mail should be changeable (by the user, not in game manager by support). I know that this isn't supported by PlayFab so I'm trying to work around it.

One solution I'm considering is to have an encrypted version of the e-mail address as a custom ID, and having login requests go via our backend server which can generate that ID and use it to identify the account and log in (using client API) to get other details. When the user changes e-mail, backend changes that customID linked to the account. The actual login is done with a fixed username (not visible to the user) and their password.

I want to ask a) is this usage in general crazy? and b) there has been a suggestion that having many logins go through our backend will look like a security risk to PlayFab so it won't work. Is this the case?

Thanks for any help.

Account Management
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
Seth Du avatar image
Seth Du answered

The work around solution is feasible. BUT we do not suggest it under safety concern. Inspired by you, our suggestion is making use of our new feature LoginWithServerCustomId.

The ideal workflow for authentication is [client login with email] -> [your backend server verify it in the mapping system, then use server custom ID ] -> [PlayFab responses with session ticket] -> [your backend server transfer session ticket] -> [client receive the session ticket].

Basically your backend server can work like 3rd party security agency, and is configured to manage the email account information. Through combining server custom ID, you can leave out the relink client custom ID process and provide a security service. This will also solve your too-many-logins concerns.

Additionally, the backend server is only used for authentication. It helps reduce the payload and all communications between clients and PlayFab are the same as it used to be.

4 comments
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

joel-2 avatar image joel-2 commented ·

Thanks, I appreciate the suggestion. When you say "BUT we do not suggest it under safety concern", what do you mean exactly?

Although that server custom ID looks useful for this purpose, it doesn't seem to have the ability to be set or changed outside of logging in with it. This would firstly mean that we would have to change our initial login flow so that everything goes through the backend (which would be a bit painful) and secondly it would mean that we would have to store a mapping of e-mail to server ID, which is fine although I had hoped that we could change the ID so that they could be related by encryption and therefore have no need to store the mapping.

Are there plans to make the server custom ID as flexible as the CustomID? I saw one feature request for adding them to existing PlayFab accounts.

0 Likes 0 ·
Seth Du avatar image Seth Du ♦ joel-2 commented ·

The reason why you shouldn’t store encrypted email address as custom ID is because if there is someone figured out the encryption algorithms, all user data will be in risks. LoginWithCustomID is designed for silent login and it only needs a CustomID. According to your description, a solution is that encrypting the email along with the password so that even email address and encryption algorithm is know by someone with malice, they are still not capable of accessing user data.

For the Server Custom ID, please keep on track of our update news on the community forum.

0 Likes 0 ·
joel-2 avatar image joel-2 Seth Du ♦ commented ·

Ah I see, thanks for the clarification. I was hoping that as long as we have a secret key that we manage to protect we wouldn't have an issue with people being able to figure out the custom IDs but it's certainly no ideal for security. I considered your suggestion about encrypting the email with the password already but unfortunately that wouldn't allow for password recovery if a user forgets their password, as we will need our backend to look up the account by e-mail only for that mechanism.

1 Like 1 ·
Show more comments

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.