How to verify the player on a backend server?

Hello everyone,

I’m looking for some best practices verifying the player’s identity combined with the various GameNetwork libraries. For example, Amazon Game Circle, Google Play Games, Apple Game Center all have functions that load the current player and return a “playerID”:

gameNetwork.request("loadLocalPlayer", { listener = function (event) local playerID = event.playerID; end });

The playerID is nice because it gives me the unique identity of the player that I can use to associated information about the player on my backend. The problem is that relying on this alone does not verify the player is who they say they are, anyone could pass a “playerID” to the backend and perform whatever action they want. The quick and dirty route would require the user to signup/login, but I’d like to avoid that so the experience is seamless.

The other alternative is requesting a token from the Google Play Games (http://android-developers.blogspot.com/2013/01/verifying-back-end-calls-from-android.html) and verifying that token on the server side. Obviously, Corona does not support this API call, and I’m not aware of the equivalent API calls on other platforms.

Does anyone know another way to securely store player’s information?

Albert

Facebook id and access token could work
https://docs.coronalabs.com/plugin/facebook-v4/getCurrentAccessToken.html

Edit: I think you Facebook id and Facebook app id. I would also encrypt your data to prevent tampering.

Thanks, that’s a good fallback method I’ll consider using.

And, I’d send everything over SSL.

If I purchase a Commercial license to Corona, I can write my own plugins to talk with the various Game Networks right? In other words, I could write my own integration with Google Play Games and write code to get the Access Token?

Yes, and when your done your should consider make a google play services plugin

http://feedback.coronalabs.com/forums/188732-corona-sdk-feature-requests-feedback/suggestions/5695759–plugin-turn-based-multiplayer-and-ios-support-fo

Unless corona is about done with theirs.

But back to the question yes with corona enterprise( paid version) you can write plugins in native code to talk to corona.

Unless you do gpgs for iOS and android, the id will change and you won’t be able to transfer data between android or iOS which is a nice feature. Another thing is most access tokens change so I don’t know how safe that is to use

The access token is supposed to change, the idea is that the player ID stays the same, the access token changes each time they open the game. My backend verifies the access token with Google Play Game Services and issues a session ID to the player. All of this is done in SSL and helps me verify the player is who they say they are.

It looks like Amazon has a similar feature available, all I need to know is if iOS also has a similar feature and then I’ll likely upgrade to enterprise.

What would be nice is the ability to write Win32/.NET DLLs, but that’s for another thread.

Thanks again for you help,

Albert

you should be able to do this on iOS http://stackoverflow.com/questions/17408729/how-to-authenticate-the-gklocalplayer-on-my-third-party-server

lets not discuss this here but here is how to make plugins for windows

https://forums.coronalabs.com/topic/62012-creating-plugins-for-desktop-apps/?p=321875

Whenever you have to use your Facebook authentication and get the authentication code, and you are a verified user of Facebook then you will peep inside and will get information about any of the players.

Facebook id and access token could work
https://docs.coronalabs.com/plugin/facebook-v4/getCurrentAccessToken.html

Edit: I think you Facebook id and Facebook app id. I would also encrypt your data to prevent tampering.

Thanks, that’s a good fallback method I’ll consider using.

And, I’d send everything over SSL.

If I purchase a Commercial license to Corona, I can write my own plugins to talk with the various Game Networks right? In other words, I could write my own integration with Google Play Games and write code to get the Access Token?

Yes, and when your done your should consider make a google play services plugin

http://feedback.coronalabs.com/forums/188732-corona-sdk-feature-requests-feedback/suggestions/5695759–plugin-turn-based-multiplayer-and-ios-support-fo

Unless corona is about done with theirs.

But back to the question yes with corona enterprise( paid version) you can write plugins in native code to talk to corona.

Unless you do gpgs for iOS and android, the id will change and you won’t be able to transfer data between android or iOS which is a nice feature. Another thing is most access tokens change so I don’t know how safe that is to use

The access token is supposed to change, the idea is that the player ID stays the same, the access token changes each time they open the game. My backend verifies the access token with Google Play Game Services and issues a session ID to the player. All of this is done in SSL and helps me verify the player is who they say they are.

It looks like Amazon has a similar feature available, all I need to know is if iOS also has a similar feature and then I’ll likely upgrade to enterprise.

What would be nice is the ability to write Win32/.NET DLLs, but that’s for another thread.

Thanks again for you help,

Albert

you should be able to do this on iOS http://stackoverflow.com/questions/17408729/how-to-authenticate-the-gklocalplayer-on-my-third-party-server

lets not discuss this here but here is how to make plugins for windows

https://forums.coronalabs.com/topic/62012-creating-plugins-for-desktop-apps/?p=321875

Whenever you have to use your Facebook authentication and get the authentication code, and you are a verified user of Facebook then you will peep inside and will get information about any of the players.