For my multiplayer game I'd prefer not to make the user create yet another ID/PW just for my game. A ton of sites are starting to let you use your google, fb, & twitter accounts to sign in. So my questions are:
1) If I want to do this for a non web game (a desktop) would that be ok?
2) Are there other concerns with that when compared to doing this via a webpage?
3) I assume there are API's for these big 3 or is there 1 that they share? Where to start finding out more info about this?
4) I assume the API would allow me to get some kind of ID that I can track that person each time and that I can store in my DB. Is this ID highly sensitive or not really?
5) Any other issues with doing this style of logging in?
Thanks!
non web games use google, fb, & twitter accounts
The "sign in with Facebook" options all require a web browser in the loop. If you look at the specification for OAuth, OAuth 2, and OpenID (the three most used authentication delegation mechanisms,) they include web redirect flows.
What you could do is allow the user to enter a user name and password from one of those services, and then do a "Login" in the user's name to the system, as if you were a web browser. Users may not trust your application, though, because they are effectively giving you their identity. Most users probably aren't smart enough to realize this, unfortunately, so it might actually "work fine" for you.
If you can arrange to get your downloaded application launched from a web page (download a special content type with login information, and set your application as the handler for that type, for example) then you can do the web login flow, and then download a randomly generated token, which the application later hands back to your servers, and your servers know how to tie the token to the delegated identity.
What you could do is allow the user to enter a user name and password from one of those services, and then do a "Login" in the user's name to the system, as if you were a web browser. Users may not trust your application, though, because they are effectively giving you their identity. Most users probably aren't smart enough to realize this, unfortunately, so it might actually "work fine" for you.
If you can arrange to get your downloaded application launched from a web page (download a special content type with login information, and set your application as the handler for that type, for example) then you can do the web login flow, and then download a randomly generated token, which the application later hands back to your servers, and your servers know how to tie the token to the delegated identity.
Author
There must be a way to have an embedded browser in the C++ app pointing to my website that does the OpenID authentication and then communicates back to the C++ app that everything was good. Maybe in the C++ app it both connects to the game server and sends the auth command to the website at the same time and if the game server and website are on the same server there would be a way to check the 2 paths sent to the server and if everything is good the command that there was a successful login is sent to the game client from the game server?
That would be the client generates a unique ID and sends that along to both the game server via C++ and the website via a form field. When the website on the server comes back with authentication status it would be associated with the unique ID, and if successful we can validate the unique ID exists in a database that we stored it in when the C++ game client sent it, and if they match/exist the game server sends back success to the game client and all is good. This table would have some kind of 1 min expiration on all records or something.
That would be the client generates a unique ID and sends that along to both the game server via C++ and the website via a form field. When the website on the server comes back with authentication status it would be associated with the unique ID, and if successful we can validate the unique ID exists in a database that we stored it in when the C++ game client sent it, and if they match/exist the game server sends back success to the game client and all is good. This table would have some kind of 1 min expiration on all records or something.
Author
So learning more about OAuth. It sounds great and exactly what I want, but I assume on a client side desktop application it's not very secure?
I don't mind the idea of having to open up the users web browser to allow access from their google account but ideally they would only have to do this once, but I assume that would mean I have to store off their access token & request token on their machines which is where the compromise would come from as anyone who could get access to this data could "login" as them into my game. The interesting thing is that once logged in it's not like they can change any passwords to lock out the user since it's their google account so that's nice it's minimal dmg if someone does get those tokens.
Everything I've seen so far with OAuth is about accessing services. That's nice but much like this website I just want to use it for logging in purposes and not call any google services. Is there a different method on doing just the authentication? What's this website doing when I log in via my google account? I assume gamedev.net stored my tokens in their DB the first time I granted it access via my google account, and when I login using my google account...I guess I'm not sure what's exactly happening when I click the link that says login using google. Is there anything stored on my machine/browser with all of this?
I don't mind the idea of having to open up the users web browser to allow access from their google account but ideally they would only have to do this once, but I assume that would mean I have to store off their access token & request token on their machines which is where the compromise would come from as anyone who could get access to this data could "login" as them into my game. The interesting thing is that once logged in it's not like they can change any passwords to lock out the user since it's their google account so that's nice it's minimal dmg if someone does get those tokens.
Everything I've seen so far with OAuth is about accessing services. That's nice but much like this website I just want to use it for logging in purposes and not call any google services. Is there a different method on doing just the authentication? What's this website doing when I log in via my google account? I assume gamedev.net stored my tokens in their DB the first time I granted it access via my google account, and when I login using my google account...I guess I'm not sure what's exactly happening when I click the link that says login using google. Is there anything stored on my machine/browser with all of this?
Yes, your browser stores a session cookie, that gamedev.net uses to tie your session to your Google ID token.
If you clear cookies, you will be logged out.
If you clear cookies, you will be logged out.
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
