question

duartedd avatar image
duartedd asked

openid connect securely

Hello

just trying to understand the proper process flow with openid connect and how securely the best way to do this - the way i have it right now is i have the secret and client and such stored on the client application because the login with openid is expecting a JWT token and playfab is expecting my client to start the authentication phase to get the token. That all works well, but as far as storing the information on the client side (unity) Should i pull that information from the cloudscript and call the cloudscript from the client - is that even anymore secure cause im still pulling that information to the client (i think the calls are encrypted though right)? - Any thoughts on that one?

thanks!

Daniel

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

3 Answers

·
duartedd avatar image
duartedd answered

just had a thought - since cloudscript is javascript - i think i could make cloudscript do the accesstoken request via a post to google token server and then return the jwt which the client needs ...oooo trying it outttt

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Seth Du avatar image
Seth Du answered

You can, and it is more secure, but I don’t think it is necessary, because to call Cloud Script, the player has to be logged in. I assume the result you want to use OpenID is to log in PlayFab. The most important thing to the player is the login via opened for the first time and after that, I believe they will prefer to silent login, you may refer to the documentation: Login basics and best practices. I am not sure what JWT token you are using, but it will be unnecessary to store on PlayFab side if it has a short expiration time or is for single use.

1 comment
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

duartedd avatar image duartedd commented ·

Hey @SethDu i just noticed the list openid connection and in general the openid configured stuff in the dashboard really isnt used - the only use case with its current flow is that the developer could run it on a server and use it on the server - you wouldnt really want to run the admin api on a client, and the client only really has the loginwithopenid call which doesnt need the secret (which is good) just the connectionid - just find it a strange flow when working with client > playfab server scenario - i am going to just workaround it by manually updating the cloudscript and adding the connection information from the openid configurations to the cloudscript...this will be my end scenario - just wanted to mention that this whole process of dealing with openid has felt 'incomplete' in a sense like maybe its still in dev. like its almost there but not quite there yet. I think we can close this as i dont think there is anything else that playfab can do without taking the design further on openid

0 Likes 0 ·
duartedd avatar image
duartedd answered

Well I was thinking to pass the auth token to cloudscript and the cloudscript could request the access token from Google or whatever open I'd provider then I use the received hey to link the custom I'd / openid ...so itd be the jwt provided by Google directly to the cloudscript then cloudscript can pass it on to the client or just call the login with a passed custom id to that cloudscript function I called from the client....and yup the frictionless login is what I would and do use...the custom I'd is used based off the system identifier/ device ID to login then I give the option. For the user to link or create new account. I'll have to test it out...I am just not sure how the post will work to google from cloudscript and if it will wait for a be returned data

1 comment
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

duartedd avatar image duartedd commented ·

Okay so Cloudscript will not be able to post to an external server this is due that it does not support XMLHTTPRequest/ AJAX / Fetch feature of ES6 - as their doc does not say it supports ALL ES6 features so i am guessing the fetch is part of the features it DOES not have access to...it actually makes sense since cloudscript probably isnt really meant to interact posting to external webservers as far as i am aware...if it is then i dont understand why it wouldnt be working

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.