question

Mervin D Guy Jr avatar image
Mervin D Guy Jr asked

Shared Secret Key Usage

For the Developer and Player Shared Secret keys, am I supposed to put them in my code by their name (i.e. keyABC) or by their value (i.e. GJ0839q0iUUUHBD0968)? I couldn't tell when reading the documentation and there aren't any good examples for security reasons.

The examples above were arbitrary and do not represent an actual key name/value.

Account ManagementdataAuthenticationdocumentation
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

2 Answers

·
Mervin D Guy Jr avatar image
Mervin D Guy Jr answered

Quoting SethDu's answer here as the accepted version, the parameter used should be the value (i.e. GJ0839q0iUUUHBD0968) not the name - thanks again for the help

" The value should be the required information, if you are enterprise user, please feel free to submit a ticket to us. According to the document, the following is the standard procedure to handle encrypted login:

An RSA CSP blob to be used to encrypt the payload of account creation requests when that API requires a signature header. For example, if Client/LoginWithCustomId requires signature headers but the player does not have an account yet follow these steps:

  1. Call Client/GetTitlePublicKey with one of the title's shared secrets.
  2. Convert the Base64 encoded CSP blob to a byte array and create an RSA signing object.
  3. Encrypt the UTF8 encoded JSON body of the registration request and place the Base64 encoded result into the EncryptedRequest and with the TitleId field, all other fields can be left empty when performing the API request.
  4. Client receives authentication token as normal. Future requests to LoginWithCustomId will require the X-PlayFab-Signature header.

Please let me know if you have any other questions. "

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Seth Du avatar image
Seth Du answered

May I ask what is the design purpose of this shared secret key? Does player have full access to this data? Please understand that we may need more information to provide suggestions.

2 comments
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Mervin D Guy Jr avatar image Mervin D Guy Jr commented ·

It for signing PlayFabAPI login requests with client signatures. The client only has access to the PlayerSharedSecret but not the Developer Key. The client calls the function PlayFabClientAPI.GetTitlePublicKey(GetTitlePublicKeyRequest) and the server calls PlayFabAdminAPI.CreatePlayerSharedSecretAsync(CreatePlayerSharedSecretRequest).

The problem I'm running into is the content of the parameters, is it supposed to be the key-name (i.e. keyABC) or the key-value (i.e. GJ0839q0iUUUHBD0968?


Here is an example document with usage of the API and tags where the parameters should be: https://docs.microsoft.com/en-us/gaming/playfab/gamemanager/encrypted-logins

0 Likes 0 ·
Seth Du avatar image Seth Du ♦ Mervin D Guy Jr commented ·

The value should be the required information, if you are enterprise user, please feel free to submit a ticket to us. According to the document, the following is the standard procedure to handle encrypted login:

An RSA CSP blob to be used to encrypt the payload of account creation requests when that API requires a signature header. For example, if Client/LoginWithCustomId requires signature headers but the player does not have an account yet follow these steps:

  1. Call Client/GetTitlePublicKey with one of the title's shared secrets.
  2. Convert the Base64 encoded CSP blob to a byte array and create an RSA signing object.
  3. Encrypt the UTF8 encoded JSON body of the registration request and place the Base64 encoded result into the EncryptedRequest and with the TitleId field, all other fields can be left empty when performing the API request.
  4. Client receives authentication token as normal. Future requests to LoginWithCustomId will require the X-PlayFab-Signature header.

Please let me know if you have any other questions.

1 Like 1 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.