Authentication

Learn about advanced setups from our how-tos.

How to set up OAuth 2.0 authentication

Notice
Use this how-to when working with the Login library.

OAuth 2.0 uses short-lived tokens with long-term authorization (refresh tokens) instead of long-lived tokens. A refresh token allows users to stay in your application for an extended period of time without needing to re-enter their username and password. This eliminates the risk of compromising user authentication data.

Set up OAuth 2.0 for authorization:

  • via username or email and password
  • via social networks

If this option is enabled, user registration and authentication is carried out by calling the Register new user and JWT auth by username and password API calls. The Login library provides the same methods for OAuth 2.0 authorization as for JWT token authorization.

Note
Enabling this setting doesn’t change the authentication process in your application for the user.

To configure OAuth 2.0 authorization:

  1. Set up OAuth 2.0 authentication for Login project in your Publisher Account.
  2. Initialize the library.

Set up OAuth 2.0 authentication for Login project in your Publisher Account

  1. Go to your Publisher Account.
  2. Click Login in the side menu.
  3. Click Configure in the Login project pane.
  4. Go to the Security block and select the OAuth 2.0 section.
  5. Click Add OAuth 2.0.
  6. Specify OAuth 2.0 redirect URIs and click Connect.
  7. Copy and save the Client ID.

Initialize the library

To initialize the library, add the following line to your Android project source code, specifying the following parameters:

  • login-project-idLogin ID found in Publisher Account > Login settings > Login ID.
  • oauth2-client-idClient ID received when setting up OAuth 2.0 in Publisher Account.

Copy
Full screen
Small screen
val loginConfig = LoginConfig.OauthBuilder()
                .setProjectId("login-project-id")
                .setOauthClientId("oauth2-client-id")
                .build()

XLogin.init(applicationContext, loginConfig)

The following methods are implemented in Login library to work with refresh tokens:

  • XLogin.refreshToken — refreshes the token.
  • XLogin.getToken — returns the current token.
  • XLogin.isTokenExpired — returns true if the token is expired.

Was this article helpful?
Thank you!
Is there anything we can improve? Message
We’re sorry to hear that
Please explain why this article wasn’t helpful to you. Message
Thank you for your feedback!
We’ll review your message and use it to help us improve your experience.
Hide

How to use your own authorization system

Notice
Use this how-to when working with the following libraries:
  • Store
  • Payments
  • Inventory

You can integrate the SDK with your own authorization system. To do this, implement user identification by custom ID (user ID generated on your server) to open an in-game store, make a payment, and manage inventory.

The flow of interaction with Xsolla servers when using your own authorization system:

  1. Your client sends an authentication request to your server.
  2. Your server authorizes the user and sends a request to the Xsolla server to receive the user JSON Web Token (JWT), passing in the custom ID.
  3. Xsolla server returns the user JWT.
  4. Your server passes the user JWT to the client.
  5. SDK methods use the received user JWT instead of authorization token to open an in-game store, make a payment, and manage inventory.

To use your own authorization system with Xsolla products:

  1. Set up server OAuth 2.0 client in your Publisher Account.
  2. Implement getting the server JWT.
  3. Implement getting the user JWT.
  4. Implement the logic of working with the in-game store, purchases, and inventory using the user JWT.

Note
If you use the PlayFab or Firebase authorization system, get the user JWT using Xsolla ready-made extensions for BaaS.

Set up server OAuth 2.0 client

  1. Open your project in Publisher Account and go to the Login section.
  2. Click Configure in the panel of a Login project.
  3. Go to the Security block and select the OAuth 2.0 section.
  4. Click Add OAuth 2.0.
  5. Specify OAuth 2.0 redirect URIs.
  6. Check the Server (server-to-server connection) box.
  7. Click Connect.
  8. Copy and save the client ID and secret key.

Get server JWT

On the back end of your application, implement a method to get the server JWT using the Generate JWT API call. The request must contain the following parameters:

Note
The server JWT lifetime is 59 minutes.

Get user JWT

On the back end of your application, implement a method to get the user JWT using the Auth by custom ID API call. The request must contain the X-Server-Authorization: <server_JWT> header, where <server_JWT> is the server JWT obtained in the previous step.

Note
The user JWT lifetime is 24 hours. To change it, contact your Account Manager or email integration@xsolla.com.

Use user JWT

Pass the user JWT to the XStore.init method and Use the SDK methods to open the in-game store, make a payment, and manage inventory.

Implement the logic of receiving a new user JWT after its expiration. It is recommended that you get a new token in background mode so the user doesn’t have to log in to the application again.

Was this article helpful?
Thank you!
Is there anything we can improve? Message
We’re sorry to hear that
Please explain why this article wasn’t helpful to you. Message
Thank you for your feedback!
We’ll review your message and use it to help us improve your experience.
Hide

How to set up native authentication via social networks

Notice
Use this how-to when working with the Login library.

Native authentication lets users log in to your application via a social network account configured on a mobile device.

The first time a user logs in, the social networking application is launched and asks for permission to authenticate the user. After that, authentication is performed automatically without requiring the user to do anything.

Currently, SDK has implemented native authentication via the following social networks:

  • Google
  • Facebook
  • WeChat
  • QQ

To configure native authentication:

  1. Configure the application in the developer account for the social network:
    1. For authentication via Facebook:
      1. Register and create a new application.
      2. Set up the application page in your Facebook developer account.
    2. For authentication via Google, set up the project in Google API Console.
    3. For authentication via WeChat:
      1. Register and create a new application.
      2. Submit the application for review.
    4. For authentication via QQ:
      1. Register and create a new application.
      2. Submit the application for review.

  1. Set up authentication via social networks on the Xsolla side:
    1. For Facebook and Google, set up social connections in Publisher Account.
    2. For WeChat and QQ, contact your Account Manager.

  1. Install libraries for authenticating via social network. To do this, open the build.gradle file of your application and in the dependencies section add the following lines, where <version_number> is the required version of the library:
    • For authentication via Facebook:

Copy
Full screen
Small screen
implementation 'com.xsolla.android:login-facebook:<version_number>'

    • For authentication via Google:

Copy
Full screen
Small screen
implementation 'com.xsolla.android:login-google:<version_number>'

    • For authentication via WeChat:

Copy
Full screen
Small screen
implementation 'com.xsolla.android:login-wechat:<version_number>'

    • For authentication via QQ:

Copy
Full screen
Small screen
implementation 'com.xsolla.android:login-qq:<version_number>'

  1. Initialize the Login library with the following parameters:
    • facebook_idApp ID from the Facebook developer account
    • google_idClient ID for web application from the Google API Console
    • wechat_idAppID from the WeChat developer account
    • qq_idAppID from the QQ developer account

An example of initializing the library when authenticating via JWT:

Copy
Full screen
Small screen
val loginConfig = LoginConfig.JwtBuilder()
                .setProjectId("login-project-id")
                .setSocialConfig(XLogin.SocialConfig(
                     facebookAppId = "facebook_id",
                     googleServerId = "google_id",
                     wechatAppId = "wechat_id",
                     qqAppId = "qq_id"
                ))
                .build()

XLogin.init(applicationContext, loginConfig)

An example of initializing the library when authenticating via OAuth 2.0:

Copy
Full screen
Small screen
val loginConfig = LoginConfig.OauthBuilder()
                .setProjectId("login-project-id")
                .setOauthClientId("oauth2-client-id")
                .setSocialConfig(XLogin.SocialConfig(
                     facebookAppId = "facebook_id",
                     googleServerId = "google_id",
                     wechatAppId = "wechat_id",
                     qqAppId = "qq_id"
                ))

                .build()

XLogin.init(applicationContext, loginConfig)

  1. For authentication via WeChat, modify the application code:
    • Add the WXEntryActivity class to the <your_package_name>.wxapi package, where <your_package_name> is the name of your application package:

Copy
Full screen
Small screen
package <your_package_name>.wxapi

import android.app.Activity
import android.os.Bundle
import com.tencent.mm.opensdk.modelbase.BaseReq
import com.tencent.mm.opensdk.modelbase.BaseResp
import com.tencent.mm.opensdk.openapi.IWXAPI
import com.tencent.mm.opensdk.openapi.IWXAPIEventHandler
import com.tencent.mm.opensdk.openapi.WXAPIFactory
import com.xsolla.android.login.social.LoginSocial

class WXEntryActivity : Activity(), IWXAPIEventHandler {

    private lateinit var iwxapi: IWXAPI

    override fun onCreate(savedInstanceState: Bundle?) {
        super.onCreate(savedInstanceState)

        iwxapi = WXAPIFactory.createWXAPI(this, LoginSocial.wechatAppId, false)
        iwxapi.handleIntent(intent, this)
        finish()
    }

    override fun onReq(req: BaseReq?) {
    }

    override fun onResp(resp: BaseResp) {
        LoginSocial.wechatResult = resp
    }
}

    • Add the following element to your AndroidManifest.xml file:

Copy
Full screen
Small screen
<activity
            android:name=".wxapi.WXEntryActivity"
            android:exported="true">

Set up application page in your Facebook developer account

  1. Go to project settings in the Facebook developer account.
  2. Go to Settings > Basic.
  3. Click Add Platform and select Android.
  4. Specify the package name of your Android application in the Google Play Package Name field.
  5. Specify a fully qualified class name of the default Activity in the Class Name field.
  6. Generate a hash key and specify it in the Key Hashes field.
  7. Click Save Changes.

For further native authentication configuration, you will need App ID and App Secret found in project settings in Settings > Basic section.

Set up project in Google API Console

  1. Go to Google API Console.
  2. Click New Project.
  3. Specify Project name and Location and click Save.
  4. Go to the created project and click OAuth consent screen in the side menu.
  5. Select External option and click Create.
  6. Specify the necessary parameters and click Save.
  7. Click Credentials in the side menu.
  8. Create an OAuth 2.0 client for your Android app:

    1. Click Create credentials and select OAuth client ID.
    2. Specify Android in the Application type field.
    3. Specify Name.
    4. Specify package name of your Android application in the Package name field.
    5. Get the SHA-key.
    6. Specify SHA-key generated in the previous step SHA-key in the SHA-1 certificate fingerprint field.
    7. Click Create.
    8. Click OK.

  1. Create an OAuth 2.0 client for the web application:
    1. Click Create credentials and select OAuth client ID.
    2. Specify Web application in the Application type field.
    3. Specify Name.
    4. Click Add URI in the Authorized redirect URIs section and specify https://login.xsolla.com/api/social/oauth2/callback URI.
    5. Click Create.
    6. Click OK.

For further native authentication configuration, you will need Client ID and Client Secret found in settings of the Client ID for the web application.

Set up social connections for Login project in Xsolla Publisher Account

  1. Open your project in Publisher Account.
  2. Click Login in the side menu and go to Login projects > your Login project > Social connections.
  3. To set up authentication via Facebook:

    1. Click Edit in the Facebook panel and change status to Disconnected.
    2. Specify the App ID from the Facebook developer account in the Application ID field.
    3. Specify App Secret from the Facebook developer account in the Application Secret field.
    4. Click Connect.

  1. To set up authentication via Google:
    1. Click Edit in the Google panel and change status to Disconnected.
    2. Specify the Client ID for a web application from the Google API Console in the Application ID field.
    3. Specify the Client Secret for a web application from the Google API Console in the Application Secret field.
    4. Click Connect.

Was this article helpful?
Thank you!
Is there anything we can improve? Message
We’re sorry to hear that
Please explain why this article wasn’t helpful to you. Message
Thank you for your feedback!
We’ll review your message and use it to help us improve your experience.
Hide

How to set up token invalidation

Notice
Use this how-to when working with the Login library.

Token invalidation allows for improved security of user authentication data in your application. If the option is enabled, a new token replaces the old one that becomes invalid every time the user authenticates.

Note
You can configure token invalidation for authentication that uses a JWT token. For OAuth 2.0 authentication, token invalidation is provided by the protocol itself and does not need to be configured separately.

When using the Login library, invalidation of the existing token and generation of a new one is made by calling Auth by username and password and Auth via social network API calls, if the with_logout parameter has the 1 value.

To use token invalidation in your Android project, you need to pass the withLogout = true parameter in the XLogin.login, XLogin.startSocialAuth, and XLogin.finishSocialAuth methods.

Was this article helpful?
Thank you!
Is there anything we can improve? Message
We’re sorry to hear that
Please explain why this article wasn’t helpful to you. Message
Thank you for your feedback!
We’ll review your message and use it to help us improve your experience.
Hide

How to implement user authentication via device ID

Notice
Use this how-to when working with the Login library.

Device ID authentication lets users start using the application on a mobile device without entering registration data. The first time a user logs in to the application using the device ID, a new account is created automatically, and the user doesn’t need to enter a username, email address, or other data.

Notice
The account created by the device ID allows using the application only on the current mobile device. Access to it is lost after changing an Android device. To save progress in the application and use the account on other devices, the user can upgrade the account by linking a social network or by entering a username, email address, and password.

With the device ID, you can implement user authentication on one or more mobile devices in the background mode. To use this function, the user should link the device ID to an existing account.

The device ID is generated by the platform and is available to applications installed on the mobile device. The SDK gets the ID value using the platform API and uses this value to perform various functions using the Xsolla API. The Android device ID is passed in the android.provider.Settings.Secure.ANDROID_ID constant.

The SDK implements methods for the functions listed below.

Authentication

SDK method nameDescription
authenticateViaDeviceId
Authenticates the user to the application using the current device ID.

Account upgrade

SDK method nameDescription
linkEmailPassword
Adds a username, email address, and password, that can be used for authentication, to the current account.
Links a social network, that can be used for authentication, to the current account.
Notice
The listed methods can be used to upgrade an account created in any available way (e.g. by using a social network or an email address and password).

Device management

SDK method nameDescription
getUsersDevices
Returns a list of devices linked to the current user account.
Links the specified device to the current user account.
Unlinks the specified device from the current user account.
Was this article helpful?
Thank you!
Is there anything we can improve? Message
We’re sorry to hear that
Please explain why this article wasn’t helpful to you. Message
Thank you for your feedback!
We’ll review your message and use it to help us improve your experience.
Hide
Last updated: October 8, 2021

Found a typo or other text error? Select the text and press Ctrl+Enter.

Report a problem
We always review our content. Your feedback helps us improve it.
Provide an email so we can follow up
Thank you for your feedback!