Authentication

Learn about advanced setups from our how-tos.

How to set up OAuth 2.0 authentication

OAuth 2.0 uses short-lived tokens with long-term authorization (refresh tokens) instead of long-lived tokens. A refresh token allows users to stay in your application for an extended period of time without needing to re-enter their username and password. This eliminates the risk of compromising user authentication data.

Set up OAuth 2.0 for authorization:

  • via username or email and password
  • via social networks
  • via Steam

If the option is enabled, user registration and authentication is carried out by calling the Register new user and JWT auth by username and password API calls. The Login & Account System asset provides the same methods for OAuth 2.0 authorization as for JWT token authorization. When the engine first initializes an object on the scene, the Awake method is called. The method checks the expiration of the current refresh token.

Note
Enabling this setting doesn’t change the authentication process in your application for the user.

To configure OAuth 2.0 authorization:

  1. Set up OAuth 2.0 authentication for Login project in your Publisher Account.
  2. Set up asset in your Unity project.

Set up OAuth 2.0 authentication for Login project in your Publisher Account

  1. Go to your Publisher Account.
  2. Click Open in the Login block and go to Login projects.
  3. Click Open and set up in the Login project block.
  4. Go to General settings > Authorization.
  5. Click Connect in the OAuth 2.0 authentication block.
  6. Specify OAuth 2.0 redirect URIs and click Connect.
  7. Copy and save the Client ID.

Set up asset in your Unity project

  1. Go to your Unity project.
  2. Click Window > Xsolla > Edit Settings in the main menu.
  3. In Inspector panel:
    1. In the Authorization method field, select OAuth2.0.
    2. In the OAuth2.0 client ID field, specify Client ID received when setting up OAuth 2.0 in Publisher Account.

The following methods are implemented in Login & Account System asset to work with refresh tokens:

  • IsOAuthTokenRefreshInProgress — returns true during refresh token process, false otherwise.
  • ExchangeCodeToToken — exchanges the user’s authentication code for a valid JWT.

The oauthState argument found in the GetSocialNetworkAuthUrl method is used for additional user verification during OAuth 2.0 authentication. This argument is used to mitigate possible CSRF attacks.

Was this article helpful?
Thank you!
Is there anything we can improve? Message
We're sorry to hear that
Please explain why this article wasn't helpful to you. Message
Thank you for your feedback!
We'll review your message and use it to help us improve your experience.
Hide

How to use your own login system

Notice
Use this how-to when working only with the following assets:
  • Game Commerce
  • Cross-Buy

You can integrate Game Commerce and Cross-Buy assets with your own login system. To do this, you need to implement user authentication in your application via Pay Station access token. See the authentication algorithm in the In-Game Store documentation.

To use your own login system:

  1. Configure the asset for your Unity project.
  2. Implement the logic of processing the Pay Station access token.

Configure the asset for your Unity project

  1. Go to your Unity project.
  2. Click Window > Xsolla > Edit Settings in the main menu. In the Inspector panel, select the Access Token value in the Authorization method field.
  3. In the Authorization server URL field, specify the address of the authorization server.

Logic of processing the Pay Station access token

  1. For authorization, use the GetUserAccessToken method that returns the Pay Station access token received from the server side of the application.
  2. Use the obtained token in the Game Commerce or Cross-Buy asset methods instead of the JWT token.
  3. Implement the logic of receiving a new Pay Station access token after its expiration. It is recommended that you get a new token in the background mode, so the user doesn’t have to log in to the application again.

Note
The lifetime of the Pay Station access token when working with the in-game store and inventory is 1 hour after the last call to the Xsolla API. To change the lifetime of the Pay Station access token, contact your Account Manager.
Was this article helpful?
Thank you!
Is there anything we can improve? Message
We're sorry to hear that
Please explain why this article wasn't helpful to you. Message
Thank you for your feedback!
We'll review your message and use it to help us improve your experience.
Hide

How to set up native authentication via social networks

Native authentication lets users log in to your application via a social network account configured on a mobile device.

The first time a user logs in, the social networking application is launched and asks for permission to authenticate the user. After that, authentication is performed automatically without requiring the user to do anything.

Currently, SDK has implemented native authentication via the following social networks:

  • Google
  • Facebook
  • WeChat
  • QQ

To configure native authentication:

  1. Create your Unity project build for Android.
  2. Configure the application in the developer account for the social network:
    1. For authentication via Facebook:
      1. Register and create a new application.
      2. Set up the application page in your Facebook developer account.
    2. For authentication via Google, set up the project in Google API Console.
    3. For authentication via WeChat:
      1. Register and create a new application.
      2. Submit the application for review.
    4. For authentication via QQ:
      1. Register and create a new application.
      2. Submit the application for review.

  1. Set up authentication via social networks on the Xsolla side:
    1. For Facebook and Google, set up social connections in Publisher Account.
    2. For WeChat and QQ, contact your Account Manager.
  2. Set up the asset for your Unity project.

Create Unity project build for Android

  1. Go to your Unity project.
  2. Click File > Build settings in the main menu.
  3. Click Android in the Platform panel.
  4. Click Build.
  5. Make sure that the hash key is formed:
    1. Click Window > Xsolla > Edit Settings in the main menu.
    2. Make sure that the hash key appears in the Android debug hash key field.

For further native authentication configuration you will need:

  • Package Name found in the Inspector panel after selecting the Android platform in File > Build settings.
  • Android class name found in Window > Xsolla > Edit Settings > Inspector > Android class name.
  • Android debug hash key found in Window > Xsolla > Edit Settings > Inspector > Android debug hash key.

Set up application page in your Facebook developer account

  1. Go to project settings in the Facebook developer account.
  2. Go to Settings > Basic.
  3. Click Add Platform and select Android.
  4. Specify Package Name from your Unity project in the Google Play Package Name field.
  5. Specify Android class name from your Unity project in the Class Name field.
  6. Specify Android debug hash key from your Unity project in the Key Hashes filed.
  7. Click Save Changes.

For further native authentication configuration, you will need App ID and App Secret found in project settings in Settings > Basic section.

Set up project in Google API Console

  1. Go to Google API Console.
  2. Click New Project.
  3. Specify Project name and Location and click Save.
  4. Go to the created project and click OAuth consent screen in the side menu.
  5. Select External option and click Create.
  6. Specify the necessary parameters and click Save.
  7. Click Credentials in the side menu.
  8. Create an OAuth 2.0 client for your Unity application:

    1. Click Create credentials and select OAuth client ID.
    2. Specify Android in the Application type field.
    3. Specify Name.
    4. Specify Package Name from your Unity project in the Package name field.
    5. Specify Android debug hash key from your Unity project in the SHA-1 certificate fingerprint field.
    6. Click Create.
    7. Click OK.

  1. Create an OAuth 2.0 client for the web application:
    1. Click Create credentials and select OAuth client ID.
    2. Specify Web application in the Application type field.
    3. Specify Name.
    4. Click Add URI in the Authorized redirect URIs section and specify https://login.xsolla.com/api/social/oauth2/callback URI.
    5. Click Create.
    6. Click OK.

For further native authentication configuration, you will need Client ID and Client Secret found in settings of the Client ID for the web application.

Set up social connections for Login project in Xsolla Publisher Account

  1. Open your project in Publisher Account.
  2. Click Login in the side menu and go to Login projects > your Login project > Social connections.
  3. To set up authentication via Facebook:

    1. Click Edit in the Facebook panel and change status to Disconnected.
    2. Specify the App ID from the Facebook developer account in the Application ID field.
    3. Specify App Secret from the Facebook developer account in the Application Secret field.
    4. Click Connect.

  1. To set up authentication via Google:
    1. Click Edit in the Google panel and change status to Disconnected.
    2. Specify the Client ID for a web application from the Google API Console in the Application ID field.
    3. Specify the Client Secret for a web application from the Google API Console in the Application Secret field.
    4. Click Connect.

Set up asset for your Unity project

  1. Go to your Unity project.
  2. Click Window > Xsolla > Edit Settings in the main menu.
  3. Specify the application ID:
    1. Specify App ID from the Facebook developer account in the Facebook App ID field.
    2. Specify Client ID for a web application from the Google API Console in the Google server ID field.
    3. Specify AppID from the WeChat application settings in the WeChat App ID.
    4. Specify AppID from the QQ application settings in the QQ App ID.

    Was this article helpful?
    Thank you!
    Is there anything we can improve? Message
    We're sorry to hear that
    Please explain why this article wasn't helpful to you. Message
    Thank you for your feedback!
    We'll review your message and use it to help us improve your experience.
    Hide

How to set up native authentication via Steam

Native authentication allows players to enter your application via the installed Steam application.

To set up native authentication:

  1. Set up silent authentication via Steam in Publisher Account.
  2. Configure your Unity project.
  3. Configure processing of events.
  4. Ensure authentication via Steam.

Configure your Unity project

  1. Manually create a steam_appid.txt file and type your application ID in Steam there. Then, place this file to the Assets catalog of your project.

Note
If you downloaded an asset from GitHub, you will find the steam_appid.txt file in the Assets catalog. This file includes the application ID in Steam for a demo project.

  1. Open your Unity project.
  2. In the main menu, go to Window > Xsolla > Edit Settings.
  3. In the Inspector panel:
    1. Check the Use Steam authorization box.
    2. In the Steam App ID field, specify your application ID in Steam. The value should be the same as the value in the steam_appid.txt file.

Configure processing of events

To authenticate users via Steam, you should get a session ticket via the SteamAuth method. Pass the received value when calling the RequestTokenBy method. As a result, you get the token that is used when calling the API.

Ensure authentication via Steam

  1. Create the build of your Unity project for a stand-alone platform.
  2. Launch Steam and log in.
  3. Launch your application. If everything is correct, the Steam pop-up window appears.

Was this article helpful?
Thank you!
Is there anything we can improve? Message
We're sorry to hear that
Please explain why this article wasn't helpful to you. Message
Thank you for your feedback!
We'll review your message and use it to help us improve your experience.
Hide

How to set up token invalidation

Token invalidation allows for improved security of user authentication data in your application. If the option is enabled, a new token replaces the old one that becomes invalid every time the user authenticates.

Note
You can configure token invalidation for authentication that uses a JWT token. For OAuth 2.0 authentication, token invalidation is provided by the protocol itself and does not need to be configured separately.

When using SDK, invalidation of the existing token and generation of a new one is made by calling Auth by username and password and Auth via social network API calls, if the with_logout parameter has the 1 value.

To enable token invalidation in your Unity project:

  1. In the main menu, go to Window > Xsolla > Edit Settings.
  2. In the Inspector panel, check the Enable JWT invalidation box.

Was this article helpful?
Thank you!
Is there anything we can improve? Message
We're sorry to hear that
Please explain why this article wasn't helpful to you. Message
Thank you for your feedback!
We'll review your message and use it to help us improve your experience.
Hide

How to set up authorization in application via Launcher

You can use Xsolla Launcher to deliver your application to users and update it. The Launcher contains a built-in authorization tool. To avoid the need to re-enter username and password, set up authorization in your application via the Launcher.

Notice
To use the Launcher, you need to configure Login. Using a different authorization system is not supported.

Set up SDK and Launcher to work together

  1. Set up Launcher in your Publisher Account.

Note
In the config.json file, it is enough to change the values ​​for the following objects:
  • launcher_project_id — specify Launcher ID found in Publisher Account > Launcher > General settings > General info
  • login_project_id — specify Login ID found in Publisher Account > Launcher > General settings > Authentication

  1. Customize the launcher UI.

Notice
SDKs integration with Xsolla servers uses Commerce API calls, so the Launcher store is not supported.

  1. Implement the Launcher authorization logic in your application.
  2. Generate a launcher installation file and a build archive.
  3. Create an application build.
  4. Upload the application build to the Xsolla update server.

Implement the logic of authorization via Launcher

When the application starts, the Launcher passes the parameter list via the command line. The authorization token is passed in the xsolla-login-token parameter. Validate the received token. If the token validated successfully, authorize the user in the application.

See an example of the described logic implementation in the demo project.

Create an application build

  1. Go to your Unity project.
  2. Click Window > Xsolla > Edit Settings in the main menu. In the Inspector panel:
    1. In the Project ID field, specify the Project ID found in Publisher Account > Project settings > Project ID.
    2. In the Login ID field, specify the Login ID found in Publisher Account > Launcher > General settings > Authentication.

  1. Run the user authorization scene, where the token is processed.
  2. Click File > Build settings in the main menu and then click Add Open Scenes. Make sure the authorization scene is added first in the list.
  3. Click Build.
  4. In the pop-up window, specify the path to the directory where the finished build will be placed.

Was this article helpful?
Thank you!
Is there anything we can improve? Message
We're sorry to hear that
Please explain why this article wasn't helpful to you. Message
Thank you for your feedback!
We'll review your message and use it to help us improve your experience.
Hide
Was this article helpful?
Thank you!
Is there anything we can improve? Message
We're sorry to hear that
Please explain why this article wasn't helpful to you. Message
Thank you for your feedback!
We'll review your message and use it to help us improve your experience.
Rate this page
Rate this page
Is there anything we can improve?

Don't want to answer

Thank you for your feedback!
Last updated: June 5, 2021

Found a typo or other text error? Select the text and press Ctrl+Enter.

Report a problem
We always review our content. Your feedback helps us improve it.
Provide an email so we can follow up
Thank you for your feedback!