Single Sign-on

How it works

If you have several connected services with a common single account for user authentication, you can use Single Sign-on. The game website works as a service. It will allow a user to enter their credentials only once. After that, when opening one of the connected services, the user will already be authenticated.

Interaction flow

Unauthenticated user opens one of the services.
Your client sends the Check user authentication request to the Xsolla Login server and gets error 401.
Your client opens the authentication form (Login Widget or your login UI) for the user.
The user authenticates via a username and password or via a social network.

Your client authenticates the user in your Login project:
- The following requests are used when integrating Login via API methods:
  - authentication via username and password (JWT and OAuth 2.0).
  - authentication via social networks (JWT and OAuth 2.0).
- The OAuth 2.0 protocol is used when integrating Login via the Widget.
The user session data is saved on the Xsolla Login server. The server sends login_uri that contains redirect_uri with code in the query-parameter.

Your client redirects the user to redirect_uri.
Your server sends the Generate JWT request to exchange the received code for a JWT. The user is authenticated on the service.
The user opens another service.
Your client sends the Check user authentication request to the Xsolla Login server and receives login_uri that contains redirect_uri with code in the query-parameter.
Your server sends the Generate JWT request to exchange the received code for a JWT. The user is authenticated on the second service.

Differentiating access rights for different services

To differentiate user account access rights for different services, you can use special values of the scope parameter (e.g. scope=playfab) in different OAuth 2.0 clients.

Who can use it

Partners who have already integrated Login and use Xsolla database or PlayFab.

How to get it

To connect Single Sign-on:

Connect the OAuth 2.0 protocol.
Implement the getting user session method callback.

Connecting OAuth 2.0 protocol

Follow the instruction to connect the OAuth 2.0 protocol. You can use one OAuth 2.0 client for all services or create a separate OAuth 2.0 client for every service.

Calling method for getting user session

Implement the Check user authentication method callback when opening your service. The request should be executed before opening the authentication form for the user. For authentication, use the OAuth 2.0 client parameters of the exact service the user wants to authenticate in.

Example of the request:

GET /api/oauth2/sso?client_id=<client_id>&redirect_uri=<redirect_uri>&scope=<scope>&state=<state>&response_type=code HTTP/1.1
Host: login.xsolla.com

Example of the response when the user is authenticated:

HTTP/1.1 200 OK
Content-Type: application/json

{
  "login_url": "<redirect_uri>?code=<code>"
}

To get a user JWT:

Your client implements and uses the method that redirects the user to the received redirect_uri.
Your server sends the Generate JWT request with received code and grant_type=authorization_code for getting a JWT.

Example of the response when the user is not authenticated:

HTTP/1.1 401 Unauthorized
Content-Type: application/json

{
  "error": {
    "code": "003-040",
    "description": "User is unauthorized."
  }
}

Thank you for your feedback!

We'll review your message and use it to help us improve your experience.

Your browser is not supported. Please try a different browser