question

Boolean Fiasco asked May 6, '16

Twitch OAuth Authentication

I'm working on an WebGL/JavaScript based browser game that integrates with Twitch for a bunch of cool features. One of the things I want to do is allow players to sign up/login using their Twitch account.

I've gotten Twitch's OAuth login flow working already and I've set that up to use LoginWithCustomID() to automatically create a new PlayFab account behind the scenes. However, as far as I can tell, this API call is really intended for use on mobile platforms using some sort of UUID that isn't easy to guess or spoof. Obviously, in the case of Twitch, someone's Twitch username is public information and easy enough to figure out.

I'm wondering if there's any existing design pattern for implementing a secure login via a third party like Twitch that isn't already supported via a direct API call like Twitter and Facebook are. I've poked through the server APIs and CloudScript functionality and it seems like it might be possible, though non-trivial, to rig something up.

Anyone have experience with this?

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

James Gwertzman Deactivated answered Jul 14, '16

Good news @Boolean Fiasco! Twitch integration is now available! You can read about it on our blog. https://playfab.com/announcing-twitch-integration/

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

brendan answered May 6, '16

For a service where we don't have a specific, secure authentication already, your best bet would indeed be to use LoginWithCustomID. The thing to do would be to generate a GUID locally - commonly a 5x5 or similar code, as the odds of collision between two would be astronomically unlikely. You would then save that locally, for subsequent sign-ins. For the player to them be able to carry their sign in cross-device, it would be best to incorporate one of the more generic service sign-ins we have available, like Facebook or Google.

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Boolean Fiasco answered May 6, '16

Thanks for the reply - that's the scheme I was considering going with, though it leaves some stuff to be desired with cross-device support as you noted. I was thinking of auto-adding their email address to the PlayFab account (which I can get from Twitch's API) and then storing the GUID as a private key on the player that I can then email to them later if they switch devices or otherwise get the login ID wiped.

Do you guys have any plans to officially support Twitch as an authentication service? It seems like the sort of thing that more games will want to use in the future, especially with Twitch's new Dev Success program!

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

brendan answered May 7, '16

Yes, we'll definitely be supporting Twitch as an authentication system in future. We're tracking on the developers who have said they would like to have it, so that we can use that info in our prioritization meetings internally (we base our development in part on what the aggregate need is). We haven't had a lot of requests for it yet, but as they accumulate, I'm sure this will bubble up.

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.