OAuth 2.0 protocol
Overview
Xsolla Login supports the OAuth 2.0 standard protocol for user registration and authentication. OAuth 2.0 separates the client role from the resource owner. The resources are controlled by the owner and hosted by the server. To access protected resources, the client gets an access token — a string defining access attributes, and doesn’t use the resource owner’s credentials. With the approval of the resource owner, the server gives access tokens to third-party clients for usage. Detailed info on the OAuth 2.0 protocol is available on its official website. The user JWT is an access_token
.
The interaction flow between the client and the Xsolla Login server is the following:
To set up the OAuth 2.0 protocol:
- Connect the Login product.
- Set up Xsolla storage or PlayFab.
- Connect OAuth 2.0 client.
Connecting OAuth 2.0 client
- Go to Publisher Account and open your Login project > General settings > Authorization > OAuth 2.0 authentication.
- Click Connect.
- Specify in the modal window:
- Client name.
- OAuth 2.0 redirect URIs. Parameter
redirect_uri
for the Login API calls. - Authentication type: public or confidential.
- The confidential client requires the use of the client ID and secret key when calling the
Generate JWT call to get and update the access token. - The public client only requires the use of client ID.
- The
JWT auth by username and password call is only available for the public client.
- Click Connect.
Getting OAuth 2.0 client settings
To get the client ID and secret key:
- Go to Publisher Account and open your Login project > General settings > Authorization > OAuth 2.0 authentication.
- In the client block, click Connect/Edit.
A window with these settings opens automatically after connecting the OAuth 2.0 client. Client ID and secret key match the client_id
and client_secret
parameters for the Login API calls. Use these settings when working with OAuth 2.0 clients.
Integration on application side
These are the following possible ways to integrate:
When working with Login API, you can also use the scope
parameter. Possible parameter values:
offline
for updating the access token. Passingscope=offline
to the registration or authentication call is required.email
for the additional user email request when authenticating the user via a social network. Set this value if you have integrated the product Login via the previous version of the Login widget. See Collecting emails during social authentication instruction.
Integration via Login widget
If you integrate Login via the widget:
- For widget 2.0: Add the
client_id
,response_type
,state
andredirect_uri
to the initialization code. Also, you can add thescope
parameter. You should specify the HTTP/HTTPS scheme in theredirect_uri
parameter, as inhttps://example.com
.
- html
<script>
const xl = new XsollaLogin.Widget({
projectId: 'LOGIN_PROJECT_ID',
preferredLocale: 'en_US',
clientId: 'CLIENT_ID',
responseType: 'code',
state: 'CUSTOM_STATE',
redirectUri: 'REDIRECT_URI',
scope: 'SCOPE'
});
</script>
- For the previous version of widget: Add the
redirect_uri
andclient_id
parameters to the initialization code. Also, you can add thescope
parameter. You should specify the HTTP/HTTPS scheme in theredirect_uri
parameter.
- html
<script type="text/javascript">
XL.init({
projectId: 'LOGIN_PROJECT_ID',
locale: 'en_US',
redirectUri: 'REDIRECT_URI',
clientId: 'CLIENT_ID',
state: 'CUSTOM_STATE',
scope: 'SCOPE'
});
</script>
Integration via Login API
For user registration and authentication, use the API requests for the OAuth 2.0 protocol. If you have already integrated requests for the JWT standard, replace them by calling the OAuth 2.0 requests.
When calling API authentication requests, exchange the code
parameter for an access token.
Integration via Xsolla SDKs
Xsolla SDKs support the OAuth 2.0 protocol-based authentication. For setting up the OAuth 2.0 client, choose the game engine and follow the instructions:
Getting access token
Use the grant_type=authorization_code
parameter to get the access token. The code
parameter required for getting the token is passed to redirect_uri
after user authentication or registration.
- http
- curl
POST https://login.xsolla.com/api/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
client_id=11&client_secret=vGbXcsQ0CEW233m2qldYkd5IxbnRKoWt2YiBOgHYJGRGQwtIAdtxgxT64ik&code=ldYkd5IxbnRKoWt2YiBOgHYJGRGQwtIAdtxgxT64ik&grant_type=authorization_code&redirect_uri=https://my-website.com/callback
curl --request POST \
--url https://login.xsolla.com/api/oauth2/token \
--header 'content-type: application/x-www-form-urlencoded' \
--data grant_type=authorization_code \
--data client_secret=vGbXcsQ0CEW233m2qldYkd5IxbnRKoWt2YiBOgHYJGRGQwtIAdtxgxT64ik \
--data client_id=11 \
--data redirect_uri=https://my-website.com/callback \
--data code=ldYkd5IxbnRKoWt2YiBOgHYJGRGQwtIAdtxgxT64ik
Updating access token
The Xsolla Login server generates an access token and creates a new session for each successfully authenticated user. By default, the token has an expiration time of 1 hour.
To update the token, use the
- For the first call, use the
grant_type=authorization_code
parameter and thecode
parameter that was received after user authentication. - For the subsequent calls after the token expires, use the
grant_type=refresh_token
parameter and the latestrefresh_token
value.
- http
- curl
POST https://login.xsolla.com/api/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
client_id=11&client_secret=vGbXcsQ0CEW233m2qldYkd5IxbnRKoWt2YiBOgHYJGRGQwtIAdtxgxT64ik&grant_type=refresh_token&refresh_token=111dfgdfgdf&redirect_uri=https://my-website.com/callback
curl --request POST \
--url https://login.xsolla.com/api/oauth2/token \
--header 'content-type: application/x-www-form-urlencoded' \
--data grant_type=refresh_token \
--data client_secret=vGbXcsQ0CEW233m2qldYkd5IxbnRKoWt2YiBOgHYJGRGQwtIAdtxgxT64ik \
--data client_id=11 \
--data redirect_uri=https://my-website.com/callback \
--data refresh_token=111dfgdfgdf
Was this article helpful?
Rate this page
Don’t want to answer
Thank you for your feedback!
Found a typo or other text error? Select the text and press Ctrl+Enter.