question

Dylan Hunt avatar image
Dylan Hunt asked

Do I still need to verify they own the Steam game if I login with LoginWithSteam?

I currently request a new Steam authTicket every time a use enters the game, even when their account is already linked to steam, to verify they own the game.

Is this redundant?

This takes +2 seconds though -- I started wondering, does PlayFab do this for me, already? If they are successfully logged in via Steam, does that mean they already own the game? What actually happens when you login via Steam -- is it just for login convenience + friends, or does it actually verify thru Steam if they own the game before approving?

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
brendan avatar image
brendan answered

Bear in mind that in Steam's API design, verification of ownership is a distinct step from authentication. In order to follow that model, our authentication function specifically does the authentication of the user ticket, but does not do the ownership check. That way, a title that still wants to take some action on the user account based on the ownership status being false can do so.

3 comments
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Brian Jordan avatar image Brian Jordan commented ·

Per the Steam session ticket docs:

When using Session Tickets, Steam will automatically verify ownership of the current AppID. If the user does not own the current AppID, then m_eAuthSessionResponse field of the ISteamUser::ValidateAuthTicketResponse_t will be set to k_EAuthSessionResponseNoLicenseOrExpired

Am I understanding correctly that PlayFab's LoginWithSteam backend intentionally ignores a k_EAuthSessionResponseNoLicenseOrExpired result, still creates a new user account on the title, and calls the success callback on the client?

Does that mean our servers should perform an additional call to Steam's API (using Steamworks from the server side? or some REST API directly?) to verify ownership before gameplay?

Is there a way to stop such non-owner clients from making calls to the PlayFabClientAPI.Matchmake API?

0 Likes 0 ·
brendan avatar image brendan Brian Jordan commented ·

No, that's the P2P/Game Server section of the docs. What you want to look at is the Backend Server section. User authentication and ownership verification are distinct steps - the only thing the auth step returns to us is the user's Steam ID, which we use to find the right account in PlayFab. In general, your DRM is managed by Steam, but to protect against a user somehow managing to trick Steam into providing a valid auth session ticket to a hacked client, we would recommend either making a call from your custom game server to Steam, or else using an "entitlement" item (use coupon codes to give valid users an item that you can check for in their inventory). We do have a backlog item to add a "registration key" system in a future update, but we don't have a scheduled for that work yet.

1 Like 1 ·
Brian Jordan avatar image Brian Jordan brendan commented ·

Ooh I see, that makes sense. Thanks for clarifying!

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.