Single Sign-on
How it works
If you have several connected services with a common single account for user authentication, you can use Single Sign-on. The game website works as a service. It will allow a user to enter their credentials only once. After that, when opening one of the connected services, the user will already be authenticated.
Interaction flow
- Unauthenticated user opens one of the services.
- Your client sends the
Check user authentication request to the Xsolla Login server and gets error 401. - Your client opens the authentication form (Login Widget or your login UI) for the user.
- The user authenticates via a username and password or via a social network.
- Your client authenticates the user in your Login project:
- The following requests are used when integrating Login via API calls:
- The OAuth 2.0 protocol is used when integrating Login via the Widget.
login_uri
that containsredirect_uri
withcode
in the query-parameter.
- Your client redirects the user to
redirect_uri
. - Your server sends the
Generate JWT request to exchange the receivedcode
for a JWT. The user is authenticated on the service. - The user opens another service.
- Your client sends the
Check user authentication request to the Xsolla Login server and receiveslogin_uri
that containsredirect_uri
withcode
in the query-parameter. - Your server sends the
Generate JWT request to exchange the receivedcode
for a JWT. The user is authenticated on the second service.
Differentiating access rights for different services
To differentiate user account access rights for different services, you can use special values of the scope=playfab
) in different OAuth 2.0 clients.
Who can use it
Partners who have already integrated Login and use Xsolla, Firebase, or PlayFab database.
How to get it
To connect Single Sign-on:
Connecting OAuth 2.0 protocol
Follow the instruction to connect the OAuth 2.0 protocol. You can use one OAuth 2.0 client for all services or create a separate OAuth 2.0 client for every service.
Calling request for getting user session
Implement the
Example of the request:
- http
- curl
GET https://login.xsolla.com/api/oauth2/sso?client_id=<client_id>&redirect_uri=<redirect_uri>&scope=<scope>&state=<state>&response_type=code HTTP/1.1
curl --request GET \
--url 'https://login.xsolla.com/api/oauth2/sso?redirect_uri=redirect_uri&response_type=code&state=state&scope=scope&client_id=client_id'
Example of the response when the user is authenticated:
- http
HTTP/1.1 200 OK
Content-Type: application/json
{
"login_url": "<redirect_uri>?code=<code>"
}
To get a user JWT:
- Your client implements and uses the request that redirects the user to the received
redirect_uri
. - Your server sends the
Generate JWT request with receivedcode
andgrant_type=authorization_code
for getting a JWT.
Example of the response when the user is not authenticated:
- http
HTTP/1.1 401 Unauthorized
Content-Type: application/json
{
"error": {
"code": "003-040",
"description": "User is unauthorized."
}
}
Was this article helpful?
Rate this page
Don’t want to answer
Thank you for your feedback!
Found a typo or other text error? Select the text and press Ctrl+Enter.