OAuth 2.0: Connecting

How It Works

Xsolla Login supports the OAuth 2.0 protocol-based user authentication. The detailed info on the OAuth 2.0 protocol is available on their official website.

The format of Xsolla Login API methods for the OAuth 2.0 protocol is described here.

Who Can Use It

Partners who integrated Xsolla Login and use Xsolla or PlayFab database.

How to Get It

  1. Send the parameters for setting up OAuth 2.0 to your Account Manager.
  2. Update your project integration.

Sending Settings for OAuth 2.0

Send the following parameters to your Account Manager:

Parameter Description
scope Limiting the client’s access to the user data. Possible values:
  • offline for updating the user JWT when calling the Generate User JWT method with grant_type=refresh_token. Passing scope=offline to the registration or authentication method is required.
  • email for the additional user email request when authenticating the user via a social network (see the recipe).
redirect_uri The URL for redirecting the user when getting a successful response to a request. The parameters that confirm the user data (code, state) are passed to the URL while redirecting.

After connecting the protocol for the project, the Account Manager will send you the data described below. The values should be passed to the corresponding parameters when API methods are called:

  • client_id — the ID of your OAuth 2.0 client.
  • client_secret — the secret key of your OAuth 2.0 client.

Updating Project Integration

The flow for updating project settings depends on the Login integration type:

Updating Integration via the Widget

  1. Add the redirect_uri and client_id parameters to the widget initialization code. The redirect_uri parameter must contain an HTTP/HTTPS scheme, as in https://example.com.

Example:

<script type="text/javascript">
XL.init({
  projectId: '{Login ID}',
  callbackUrl: '{callbackUrl}',
  locale: 'en_US',
  redirectUri: '{redirect_uri}',
  clientID: '{client_id}'
});
</script>

  1. Use the Generate User JWT method after successful user authentication to get a JWT. The code parameter required for getting the JWT is passed to redirect_uri after user authentication or registration.

Example:

POST https://login.xsolla.com/api/oauth2/token

Headers:
Content-Type: application/x-www-form-urlencoded

Body:
client_id=11&client_secret=vGbXcsQ0CEW233m2qldYkd5IxbnRKoWt2YiBOgHYJGRGQwtIAdtxgxT64ik&code=ldYkd5IxbnRKoWt2YiBOgHYJGRGQwtIAdtxgxT64ik&grant_type=authorization_code&redirect_uri=https://my-website.com/callback

Updating Integration via Xsolla Login API

Use the API methods for the OAuth 2.0 protocol listed below to authenticate users. If you have already integrated methods for the JWT protocol, replace them by calling the OAuth 2.0 methods.

Registration

Use the Register method to add a new user.

Example:

POST https://login.xsolla.com/api/oauth2/user?response_type=code&client_id=11&scope=offline&state=rr21112rrr&redirect_uri=https://my-website.com/callback

Headers:
  Content-Type: application/json

Body:
{
  "username": "John",
  "password": "password123",
  "email": "john@gmail.com"
}

Authenticating via a Username and Password

Use the Auth by Username and Password method to get the code parameter.

Example:

POST https://login.xsolla.com/api/oauth2/login?response_type=code&client_id=11&scope=offline&state=rr21112rrr&redirect_uri=https://my-website.com/callback

Headers:
  Content-Type: application/json

Body:
{
  "username": "John",
  "password": "password123"
}

Exchange code for a JWT using the method for getting the JWT.

Authenticating via Social Networks

Use the Auth via Social Network method to get the code parameter.

Example:

GET https://login.xsolla.com/api/oauth2/social/google/login_redirect?response_type=code&client_id=11&scope=offline&state=rr21112rrr&redirect_uri=https://my-website.com/callback

Exchange code for a JWT using the method for getting the JWT.

Getting JWT

Use the Generate User JWT method with the grant_type=authorization_code parameter to get the user JWT. The code parameter required for getting the JWT is passed to redirect_uri after user authentication or registration.

Example:

POST https://login.xsolla.com/api/oauth2/token

Headers:
Content-Type: application/x-www-form-urlencoded

Body:
client_id=11&client_secret=vGbXcsQ0CEW233m2qldYkd5IxbnRKoWt2YiBOgHYJGRGQwtIAdtxgxT64ik&code=ldYkd5IxbnRKoWt2YiBOgHYJGRGQwtIAdtxgxT64ik&grant_type=authorization_code&redirect_uri=https://my-website.com/callback