question

Trevor Pries avatar image
Trevor Pries asked

How to authenticate with external API?

I'll start with a bit of context on the "Why". I've run into a bit of a problem while developing a Guild/Clan system. I need a way for new players to search for a group/guild to join. The PlayFab Group API is solid for what it is - generic json blobs that you can associate to things. What it isn't good at is querying that data. It's not an easy thing to solve, everyone's data is different and trying to parse it on our behalf behind an API endpoint might not be worth the effort.

Anyways - the conclusion I've come to is to spin up a micro-service that will just be a front for a SQL database that has all the guild parameters I need that I can query. This also means I have a wide open API that things can hit.

What I'm looking for here: What would be the best way to authenticate incoming requests to my external API?

- Can I send the PlayFab EntityToken to my API and have some Azure/PlayFab package that I can download and import from somewhere authenticate/verify that token?

- I'm not an API expert, but is it secure enough to create a cloudscript method that authenticates the user and then sends off an http request with an external API Id and Secret. Is it secure enough for me to just have my api client secret in cloudscript?

Is there a third option I should consider? #1 would be ideal I think, but #2 is where I'm leaning in terms of feasibility and effort.

Thanks in advance for any input

apisAuthentication
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

2 Answers

·
Citrus Yan avatar image
Citrus Yan answered

Hi @Trevor Pries,

Please let me rephrase your question first: You’ve set up an open external API that things can hit and wants to authenticate the PlayFab EntityToken before actually handling those requests, is that right? If that’s the case, first of all, EntityTokens are issued by PlayFab servers and therefore authenticated by them, there is no such PlayFab package that can be downloaded and imported to your project to authenticate that token locally. However, PlayFab do provide the ValidateEntityToken API that you can utilize to authenticate the token with PlayFab servers, but please also note that it’s only callable by the title entity and therefore not recommended to call it from the client-side since it would expose title-level EntityTokens to the clients. So, there are two options you can consider:

  1. Have your micro-service call the ValidateEntityToken API to authenticate the EntityToken provided by the clients before actually handling those incoming requests.
  2. Use a CloudScript method just like you mentioned in option 2, and don’t worry, no one but you can access the CloudScript code, hence it should be secure enough for you to have your API client secret in CloudScript as long as you don’t expose it by accident.
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Trevor Pries avatar image
Trevor Pries answered

Hey Citrus, thanks for the response!

Yeah that's exactly what I was getting at with the local package - basically a wrapper for something like ValidateEntityToken API endpoint. I think for what I need this for both approaches should be fine. It's not meant to be called often (when a player is searching for a guild, basically).

In case anyone else stumbles on this, I'm leaning towards option 2.

- ValidateEntityToken is an additional call for every API request. I don't think that's a huge deal in this case, but still notable.

- By using Cloudscript to wrap my micro-service calls it abstracts my service from direct communication with the game client - PlayFab remains the one stop shop (in my case).

- If the API is compromised in some way or goes down, it will be easy enough for me to update the Cloudscript (whether it's with new tokens / etc) without too much hassle.

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.