Single Sign-on
How it works
If you have several connected services with a common single account for user authentication, you can use Single Sign-on. The game website works as a service. It will allow a user to enter their credentials only once. After that, when opening one of the connected services, the user will already be authenticated.
Interaction flow
- Unauthenticated user opens one of the services.
- Your client sends the
Check user authentication request to the Xsolla Login server and gets error 401. - Your client opens the authentication form (Login Widget or your login UI) for the user.
- The user authenticates via a username and password or via a social network.
- Your client authenticates the user in your Login project:
- The following requests are used when integrating Login via API methods:
- The OAuth 2.0 protocol is used when integrating Login via the Widget.
login_uri that containsredirect_uri withcode in the query-parameter.
- Your client redirects the user to
redirect_uri . - Your server sends the
Generate JWT request to exchange the receivedcode for a JWT. The user is authenticated on the service. - The user opens another service.
- Your client sends the
Check user authentication request to the Xsolla Login server and receiveslogin_uri that containsredirect_uri withcode in the query-parameter. - Your server sends the
Generate JWT request to exchange the receivedcode for a JWT. The user is authenticated on the second service.
Differentiating access rights for different services
To differentiate user account access rights for different services, you can use special values of the
Who can use it
Partners who have already integrated Login and use Xsolla database or PlayFab.
How to get it
To connect Single Sign-on:
Connecting OAuth 2.0 protocol
Follow the instruction to connect the OAuth 2.0 protocol. You can use one OAuth 2.0 client for all services or create a separate OAuth 2.0 client for every service.
Calling method for getting user session
Implement the
Example of the request:
- http
GET /api/oauth2/sso?client_id=<client_id>&redirect_uri=<redirect_uri>&scope=<scope>&state=<state>&response_type=code HTTP/1.1
Host: login.xsolla.com
Example of the response when the user is authenticated:
- http
HTTP/1.1 200 OK
Content-Type: application/json
{
"login_url": "<redirect_uri>?code=<code>"
}
To get a user JWT:
- Your client implements and uses the method that redirects the user to the received
redirect_uri . - Your server sends the
Generate JWT request with receivedcode andgrant_type=authorization_code for getting a JWT.
Example of the response when the user is not authenticated:
- http
HTTP/1.1 401 Unauthorized
Content-Type: application/json
{
"error": {
"code": "003-040",
"description": "User is unauthorized."
}
}