Single Sign-on
How it works
If you have several connected services with a common single account for user authentication, you can use Single Sign-on. The game website works as a service. It will allow a user to enter their credentials only once. After that, when opening one of the connected services, the user will already be authenticated.
Interaction flow
- Unauthenticated user opens one of the services.
- Your client sends the
Check user authentication request to the Xsolla Login server and gets error 401. - Your client opens the authentication form (Login Widget or your login UI) for the user.
- The user authenticates via a username and password or via a social network.
- Your client authenticates the user in your Login project:
- The following requests are used when integrating Login via API calls:
- The OAuth 2.0 protocol is used when integrating Login via the Widget.
login_uri
that containsredirect_uri
withcode
in the query-parameter.
- Your client redirects the user to
redirect_uri
. - Your server sends the
Generate JWT request to exchange the receivedcode
for a JWT. The user is authenticated on the service. - The user opens another service.
- Your client sends the
Check user authentication request to the Xsolla Login server and receiveslogin_uri
that containsredirect_uri
withcode
in the query-parameter. - Your server sends the
Generate JWT request to exchange the receivedcode
for a JWT. The user is authenticated on the second service.
Differentiating access rights for different services
To differentiate user account access rights for different services, you can use special values of thescope=playfab
) in different OAuth 2.0 clients.Who can use it
Partners who have already integrated Login and use Xsolla, Firebase, or PlayFab database.
How to get it
To connect Single Sign-on:
Connecting OAuth 2.0 protocol
Follow the instruction to connect the OAuth 2.0 protocol. You can use one OAuth 2.0 client for all services or create a separate OAuth 2.0 client for every service.Calling request for getting user session
Implement the
Example of the request:
http
- http
- curl
GET https://login.xsolla.com/api/oauth2/sso?client_id=<client_id>&redirect_uri=<redirect_uri>&scope=<scope>&state=<state>&response_type=code HTTP/1.1
curl --request GET \
--url 'https://login.xsolla.com/api/oauth2/sso?redirect_uri=redirect_uri&response_type=code&state=state&scope=scope&client_id=client_id'
Example of the response when the user is authenticated:
- http
HTTP/1.1 200 OK
Content-Type: application/json
{
"login_url": "<redirect_uri>?code=<code>"
}
To get a user JWT:
- Your client implements and uses the request that redirects the user to the received
redirect_uri
. - Your server sends the
Generate JWT request with receivedcode
andgrant_type=authorization_code
for getting a JWT.
Example of the response when the user is not authenticated:
- http
HTTP/1.1 401 Unauthorized
Content-Type: application/json
{
"error": {
"code": "003-040",
"description": "User is unauthorized."
}
}
Found a typo or other text error? Select the text and press Ctrl+Enter.