Jump to content
  • Advertisement

Secure way for automatic secondary Authorisation?

This topic is 661 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

OAuth is a system for confirming that a given user has authenticated with a given OAuth provider. If Oculus aren't an OAuth provider, then OAuth does nothing for you here. When you see that GameSparks offers various "social authentication" options, probably some of those are already using OAuth - but it is done on their server via hard-coded URLs.

If the Oculus SDK provides a way of authenticating a user then you can hypothetically use that method, providing your backend provider (e.g. Gamesparks) allows for you to use an arbitrary token, which in this case I don't think it does.

Share this post

Link to post
Share on other sites

If the Oculus SDK provides a way of authenticating a user then you can hypothetically use that 

Unless GameSparks has a separate SDK for this, or the OP wants to run their own servers anyway, letting the client run the oauth and then telling GameSparks the result will open you up to impersonation attacks.

Share this post

Link to post
Share on other sites


I was planning to have my own server to do some things like keeping list of who is logged in and do matchmaking and possibly running a Raknet service to enable NAT punch for cross platform matchmaking, calculating ping maybe.

I think at this point you guys have given me enough hints on how this stuff works and I now need to get someone involved who knows more about backend/networking design and programming to look into the actual API's/SDK's to see what is possible to do. Which wires can be plugged where.

I also have to consider if I need these Backend services like Gamesparks or Playfab etc, at all. They do seem to have some useful features even for the free indy accounts and probably would speed development up compared to setting up your own database and other things.

Having browsed the different documentations a bit more I have found some promising bits, but I still can't tell for certain what will work which is why I need a more experienced programmer to join the effort.  Here's some tidbits that might help for someone else interested though I'm not sure this is the correct info :) !


Thanks everyone for all the advice. I'm very grateful!






"The User Access Token is user-specific string that identifies a user and allows your back-end server to act on their behalf.

The User Access Token is retrieved by sending a request to ovr_AccessToken_Get(). The token will be returned as a response. This token can be passed from the client to your backend."


Part of the scheme to confirm the identity of a particular user in your backend. You can pass the result of ovr_User_GetUserProof() and a user ID from ovr_User_Get() to your your backend. Your server can then use our api to verify identity. 'https://graph.oculus.com/user_nonce_validate?nonce=USER_PROOF&user_id=USER_ID&access_token=ACCESS_TOKEN'



The steps below outline how to use the Resource Owner Client Credentials Grant Type flow to obtain an access token.

  1. Obtain credentials from your OAuth provider. At minimum you will need a client_id and client_secret.

  2. Fetch an access token from the provider.

  3. etc


Playfab: (I started with Gamesparks but Playfab seems maybe a bit more open)

"Correct - all the PlayFab core services are Web API based, so they work perfectly well from any device that can make an SSL call. "

LoginWithCustomID:  Signs the user in using a custom unique identifier generated by the title, returning a session identifier that can subsequently be used for API calls which require an authenticated user

POST https://{{TitleID}}.playfabapi.com/Client/LoginWithCustomID Content-Type: application/json X-Authentication: <user_session_ticket_value>

{ "CustomId": "67AB-5397-CC54-EA31", "CreateAccount": false, "TitleId": "1" }


EDIT: Gamesparks supports something called QQ/Catalyst which seems like it might be OAuth based/compatible.


Edited by fredrum

Share this post

Link to post
Share on other sites

  • Advertisement

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

GameDev.net is your game development community. Create an account for your GameDev Portfolio and participate in the largest developer community in the games industry.

Sign me up!