Single Sign-on

How It Works

If you have several connected services with a common single account for user authentication, you can use Single Sign-on. The game website works as a service. It will allow a user to enter their credentials only once. After that, when opening one of the connected services, the user will already be authenticated.

Interaction Flow

  1. Unauthenticated user opens one of the services.
  2. Your client sends the Check User Authentication request to the Xsolla Login server and gets error 401.
  3. Your client opens the authentication form (Login Widget or your login UI) for the user.
  4. The user authenticates via a username and password or via a social network.

  1. Your client authenticates the user in your Login project:
    • The following requests are used when integrating Login via API methods:
    • The OAuth 2.0 protocol is used when integrating Login via the Widget.
    The user session data is saved on the Xsolla Login server. The server sends login_uri that contains redirect_uri with code in the query-parameter.

  1. Your client redirects the user to redirect_uri.
  2. Your server sends the Generate JWT request to exchange the received code for a JWT. The user is authenticated on the service.
  3. The user opens another service.
  4. Your client sends the Check User Authentication request to the Xsolla Login server and receives login_uri that contains redirect_uri with code in the query-parameter.
  5. Your server sends the Generate JWT request to exchange the received code for a JWT. The user is authenticated on the second service.

Differentiating Access Rights for Different Services

To differentiate user account access rights for different services, you can use special values of the scope parameter (e.g. scope=playfab) in different OAuth 2.0 clients.

Who Can Use It

Partners who have already integrated Login and use Xsolla database or PlayFab.

How to Get It

To connect Single Sign-on:

  1. Connect the OAuth 2.0 protocol.
  2. Implement the getting user session method callback.

Connecting OAuth 2.0 Protocol

Follow the recipe to connect the OAuth 2.0 protocol. You can use one OAuth 2.0 client for all services or create a separate OAuth 2.0 client for every service.

Calling Method for Getting User Session

Implement the Check User Authentication method callback when opening your service. The request should be executed before opening the authentication form for the user. For authentication, use the OAuth 2.0 client parameters of the exact service the user wants to authenticate in.

Example of the request:

Copy
Full screen
Small screen
GET https://login.xsolla.com/api/oauth2/sso?client_id=<client_id>&redirect_uri=<redirect_uri>&scope=<scope>&state=<state>&response_type=code HTTP/1.1

Example of the response when the user is authenticated:

Copy
Full screen
Small screen
HTTP/1.1 200 OK

{
  "login_url": "<redirect_uri>?code=<code>"
}

To get a user JWT:

  1. Your client implements and uses the method that redirects the user to the received redirect_uri.
  2. Your server sends the Generate JWT request with received code and grant_type=authorization_code for getting a JWT.

Example of the response when the user is not authenticated:

Copy
Full screen
Small screen
HTTP/1.1 401 Unauthorized

{
  "error": {
    "code": "003-040",
    "description": "User is unauthorized."
  }
}