3rd-Party Login Integration

Overview

AccelByte Cloud provides 3rd-party login integration and single sign-on (SSO) to enable players to log into your game or platform with a credential from a 3rd-party. To use 3rd-party credentials to sign into your game or platform for the first time, a player must first create an AccelByte account. If they don't have an AccelByte account, the system will create a headless account (an account without an email address) for them. You can offer the player the option to upgrade their headless account to a full account in your game or on your platform. Players need to provide an email address and date of birth to create a full account.

After players create a full account, they can then link their accounts from other 3rd-party platforms to it. This enables cross-progression, or the ability for players to access their game data and continue play from different platforms.

Supported Platforms

Here’s a table showing the platforms we support and the features they offer:

3rd-party login In-app purchases Entitlements Device ID* Y N N Apple Y Y N AWS Cognito Y N N Discord Y N N Epic Online Services Y Y Y Facebook Y N N Google Y Y N Microsoft Azure** Y N N Netflix Y N N Nintendo Y Y Y OpenID Connect Y N N PlayStation 4 and 5 Y Y Y Snapchat Y N N Stadia Y Y Y Steam Y Y Y Twitch Y Y Y Xbox Live Y Y Y

Device ID*

Device ID can refer to a computer’s serial number, the IMEI of a mobile device, or some other unique identifier. Device ID can be used both for testing and as an easy way for players to log into mobile games without an account.

Microsoft Azure**

3rd-party login using Microsoft Azure credentials is for the Admin Portal only. It’s intended to give teams that already have Microsoft accounts a quick way to access the Admin Portal without having to first have an account created for them.

Prerequisites

Before implementing 3rd-party logins, make sure you’ve done the following:

• Create a Game Namespace
• Invite an Admin User
• Create a Client
• Integrate the AccelByte SDK

Permissions

Permissions (opens new window) are used to grant access to specific resources within our services. Make sure your account has the following permissions before you attempt to integrate 3rd-party login in the Admin Portal. For a full list of permissions that impact identity access management, see the IAM tab of the permissions reference (opens new window).

Usage	Permission Tag	Action
Add SSO Platform Credential	ADMIN:NAMESPACE:{namespace}:PLATFORM:{platformId}:SSO	Create
Add 3rd-Party Platform Credential	ADMIN:NAMESPACE:{namespace}:PLATFORM:{platformId}:CLIENT	Create

Permissions work slightly differently depending on whether they are assigned to IAM Clients or Roles assigned to users. For more information, read the Authentication and Authorization documentation.

Enable Login Methods using 3rd-Party Platforms in the Admin Portal

Enabling 3rd-party login methods consists of configuring the login from your chosen platform in the Admin Portal, using our SDK to retrieve the authentication token for that platform, then logging players in with their 3rd-party credentials.

3rd-party login methods can either be configured in a game namespace, or in the publisher namespace. When you configure the login from a 3rd-party platform within a game namespace, only that game will be accessible using the credentials from the configured platform.

Follow the steps below to set up the 3rd-party configuration in the Admin Portal:

1. Go to the namespace you want to configure.

2. Go to the User Management section of the main menu and select Login Methods.

   

3. On the Login Methods page, click the Add New button.

   

   The Login Platform Configuration page displays the available login platforms.

4. Choose the login platform you want to configure.

   

   The Create Configuration form for the login platform you selected will appear.

5. In the Redirect URI field, input the URI that the user will be directed to once the account authorization is successful. The default URI is http://127.0.0.1.

   Device ID

   

   In the Redirect URI field, input the URI that the user will be directed to once the account authorization is successful. The default URI is http://127.0.0.1.

   Apple

   IMPORTANT

   Currently we only support 3rd-party login integration for your Apple Developer Portal website or web platform using these credentials. In-game login is not yet supported.

   

Complete the fields using the settings from the Apple Developer Portal for your game.

AWS Cognito

Complete the fields as follows:

• Input the User Pool ID (opens new window) that you created in the AWS Cognito console for your game in the AWS Cognito User Pool field.
• Input the desired AWS Cognito Region (opens new window) code in the AWS Cognito Region field, e.g. us-west-1.

Discord

Complete the fields as follows:

• Input the Client ID that you set in the Discord Developer Portal (opens new window) in the Client ID field.
• Input the Client Secret that you set in the Discord Developer Portal (opens new window) in the Client Secret field.
• Input the default Discord URI http://127.0.0.1](http://127.0.0.1). in the Redirect URI field.

Epic Online Services

Complete the fields as follows:

• Input the Client ID that you set in the Epic Developer Portal for your game in the Client ID field.
• Input the Client Secret that you set in the Epic Developer Portal for your game in the Secret field.
• Input the URI that the user will be directed to once the account authorization is successful in the Redirect URI field. The default URI for EOS is http://127.0.0.1.

Facebook

IMPORTANT

Currently we only support 3rd-party login integration for your website or web platform using these credentials. In-game login is not yet supported.

Complete the fields as follows:

• Input the Client ID that you set in the Facebook Developer Portal for your app in the Client ID field.
• Input the Client Secret that you set in the Facebook Developer Portal for your game in the Secret field.
• Input the URI that the user will be directed to once the account authorization is successful in the Redirect URI field. The default URI for Facebook is {baseURL}/iam/v3/platforms/facebook/authenticate.

NOTE

To complete the setup, you’ll also have to configure the Redirect URI in the Facebook Developer Portal.

Google

IMPORTANT

Currently we only support 3rd-party login integration for your website or web platform using these credentials. In-game login is not yet supported.

Complete the fields as follows:

• Input the Client ID from your Google IAM Client Google Developer Console (opens new window) account in the Client ID field.
• Input the Secret from your Google IAM Client Google Developer Console account in the Secret field.
• Input the URI that the user will be directed to once the account authorization is successful in the Redirect URI field. The Redirect URI should direct the player back to your server after they successfully log in.

Microsoft Azure

You can enable 3rd-party login using Microsoft Azure credentials for the Admin Portal. This gives teams that use Microsoft accounts an easy way to access the Admin Portal without having to have an account created for them.

IMPORTANT

In addition to the steps below, there are some tasks that must be performed in the Azure Portal to enable 3rd-party login using Microsoft Azure. Please contact AccelByte if you need assistance.

Complete the fields as follows:

• Input the Entity ID from your Basic SAML Configuration in the App ID field.
• Input the Reply URL from your Basic SAML Configuration in the ACS URL field.
• Input the App Federation Metadata URL from the SAML Signing Certificate in the Federation Metadata URL field.

Netflix

Complete the fields as follows:

• Select your environment type in the Environment field. You can choose from the following options:

  Environment

  Environment	Purpose
  Production	Development
  Live Production	QA

• Upload .pem files for the Root Certificate, Public Certificate, and Encrypted Private Key.

NOTE

You can download the mTLS certificate on the mTLS tab in your Netflix Partner Account Manager (opens new window).

Nintendo

Input the Application ID for your application in the App ID field. You can find your Application ID in your product information in the Nintendo Developer Portal.

OpenID Connect

1. Fill the Platform Identity Provider form with the following information:

   • Input the 3rd-party platform name in the Platform Name field.
   • Input the platform identity provider of your selected 3rd-party platform in the Platform ID field.
   • Choose the Authentication Type from the dropdown. You can choose either an ID Token or Authorization Code.
   • Input the 3rd-party JWKS in the JWKS URL field.
   • Input the authorization server's issuer identifier in the Issuer field. This identifier is an URL that uses the https scheme and has no query or fragment components.
   • Input the Client ID of your selected platform in the Client ID field.

   NOTE

   The way in which you obtain your Client ID will differ across providers. Please check your provider's documentation for more information.

2. When you’re finished, click Next.

3. Fill the Token Claims Mapping form with the following information:

   

   • Input the name of the ID Token Claim’s field that contains the user’s name in the Field Name in ID Token field.
   • Input the email of the ID Token Claim’s field that contains the user’s email in the Field Email in ID Token field.
   • Input the profile picture URL of the ID Token Claim’s field that contains the user’s profile picture URL in the Field Profile Picture URL in ID Token field.
   • Input the identity of the ID Token Claim’s field that contains the user’s identity in the Field User Identity in ID Token field.

   TIP

   For more information on token claims, see OpenID’s documentation (opens new window).

4. When you’re finished, click Create.

PSN Web Login

Complete the fields as follows:

• Input the Client ID for your game in the PlayStation App Server in the Client ID field.

• Input the Client Secret for your game in the PlayStation App Server in the Client Secret field.

• Select your environment type in the Environment field. You can choose from the following options:

  Environment

  Environment	Purpose
  sp-int	Development
  prod-qa	QA
  np	Live Environment

• Input the URI that the user will be directed to once the account authorization is successful in the Redirect URI field. For PS4, the default URI is orbis://games.

PS4 SDK Login

Complete the fields as follows:

• Input the Client ID for your game in the PlayStation App Server in the Client ID field.

• Input the Client Secret for your game in the PlayStation App Server in the Client Secret field.

• Select your environment type in the Environment field. You can choose from the following options:

  Environment

  Environment	Purpose
  sp-int	Development
  prod-qa	QA
  np	Live Environment

• Input the URI that the user will be directed to once the account authorization is successful in the Redirect URI field. For PS4, the default URI is orbis://games.

PS5 SDK Login

Complete the fields as follows:

• Input the Client ID for your game in the PlayStation App Server in the Client ID field.

• Input the Client Secret for your game in the PlayStation App Server in the Client Secret field.

• Select your environment type in the Environment field. You can choose from the following options:

  Environment

  Environment	Purpose
  sp-int	Development
  prod-qa	QA
  np	Live Environment

• Input the URI that the user will be directed to once the account authorization is successful in the Redirect URI field. For PS5, the default URI is orbis://games.

Snapchat

Complete the fields as follows:

• Input the Client ID in the Client ID field.
• Input the Client Secret in the Client Secret field.
• Input the URI that the user will be directed to once the account authorization is successful in the Redirect URI field. This URI should direct the player back to your server after they successfully log in.

Stadia ID

Complete the fields as follows:

• Input your game’s Stadia Account ID in the Client ID field.
• Upload the Service Account in .json format.

Stadia Web

Complete the fields as follows:

• Input your game’s Stadia Account ID in the Client ID field.
• Input your game’s secret in the Client Secret field.
• Input your Organization ID.
• Input the URI that the user will be directed to once the account authorization is successful in the Redirect URI field. For Stadia Web, the default URI is http://127.0.0.1.

Steam Web Login

Complete the fields as follows:

• Input your Publisher Web API Key in the Steam Web API Key field.
• Input the URI that the user will be directed to once the account authorization is successful in the Redirect URI field. The default URI for Steam is http://127.0.0.1.

Steam SDK Login

Complete the fields as follows:

• Input Steam’s App ID for your game in the App ID field. For testing purposes, you can also input 480 which is the ID for Steam’s test game.
• Input your Publisher Web API Key in the Steam Web API Key field.
• Input the URI that the user will be directed to once the account authorization is successful in the Redirect URI field. For in-game login, use the default URI which is http://127.0.0.1.

Twitch

Complete the fields as follows:

• Input the Client ID in the Client ID field.
• Input the Client Secret in the Client Secret field.
• Input the URI that the user will be directed to once the account authorization is successful in the Redirect URI field. The Redirect URI should direct the player back to your server after they successfully log in.

Xbox SDK Login

Upload the Relying Party Private Key for your game in .pem format in the Relying Party Private Key field.

Xbox Web Login

Complete the fields as follows:

• Input the Client ID that you’ve set in the Azure Portal (opens new window) for your game in the Client ID field.
• Input the Client Secret that you set in the Azure Portal (opens new window) for your game in the Client Secret field.
• Input the URI that the user will be directed to once the account authorization is successful in the Redirect URI field. For Xbox Live, the default URI is http://127.0.0.1.

Log in using 3rd-Party Platform Credentials with Two-Factor Authentication Enabled

These functions allow your players to log into your game using a verified account linked to a 3rd-party account. See our two-factor authentication (opens new window) documentation for more information about setting up authenticators.

3rd-Party Authentication App

Before a player can log in, you will need to enable two-factor authentication with your 3rd-party authentication app.

Backup Code

Before a player can log in, you will need to enable two-factor authentication with the Backup Code method and save this backup code.

SSO Configurations

Single Sign-On (SSO) enables players to log in with a single credential to access several independent services. To enable SSO we use Discourse, which is an open-source discussion platform that can be used as a mailing list.

Create a New Discourse Configuration

1. Go to the Admin Portal, and click on the SSO Configurations menu.

   

2. Click the Configure Now button to add a new configuration.

   

   The Add Discourse Configuration will appear.

   

   • Input the URL to which players will be redirected in the SSO URL field.
   • Input the Secret Key from Discourse in the Secret Key field.
   • Input the API Key from Discourse in the API Key field

   When you’re finished, click Submit.

3. After creating the configuration, it will be accessible from the Discourse SSO Configuration panel on the SSO Configurations page.

   

Register a Google Domain

To enable SSO with Google credentials in the Admin Portal, you must first register the Google domain name that members of your organization will use to access the Admin Portal. You can also associate roles (opens new window) and IAM clients (opens new window) with a domain, allowing you to control what users under that domain can access. Multiple domains can be registered and configured independently.

NOTE

You must be in the publisher namespace to register a Google domain.

1. In the publisher namespace of the Admin Portal, click Login Methods.

2. On the Login Platform Configuration page, find the Google configuration and click View under the Action column.

   

3. On the Login Platform Configuration page, scroll to the Domain section.

4. Click the Register Domain button.

   

5. The Register Domain form appears. Fill in the fields with the following information:

   • Enter the target Google domain in the Domain Name field.
   • Select any IAM Client you want users from that domain to be able to access from the Clients dropdown. You can choose more than one client.
   • Select the default role for users from that domain from the Default Role dropdown.

   

When you’re finished, click Save.

Implement 3rd-Party Login Integration Using the Client SDKs

Enable Login with 3rd-Party Platform Credentials

For a player to log into your game or platform with 3rd-party credentials, the game needs to pass the Auth token from the 3rd-party platform whose credentials the player is using to the publisher platform.

Retrieve the Authentication Token

Device ID

The Device ID Auth token is whatever is retrieved by either Unity or Unreal Engine. To retrieve the Device ID Auth token, use the following function:

Apple

AWS

For Unity, you can get the Auth token by using the AWS SDK for .NET. For Unreal Engine you can use the AWS C++ SDK. Here is an example of how to get an AWS Cognito Auth token:

You can also get an Auth token by making a HTTP Request, as seen in the example below.

For more details about setting up platform authentication, refer to the AWS documentation.

Epic Online Service (EOS)

For Unity, you can get the Auth token for EOS by using the EOS SDK. For Unreal Engine you can use the EOS C# SDK. Here are the functions to retrieve the EOS Auth token:

Google

Prerequisites

Before setting up Google in-game logins, make sure to:

• Obtain OAuth credentials in the Google Cloud Platform.
• Set up Google services in your Google Cloud Platform.
• Download and set up Android Studio in your Unreal Engine environment.
• Set up your test device for development (opens new window).
• Configure your Google credentials (opens new window) in the Cloud Admin Portal.

Implementation

The Online Subsystem Google currently provided by Unreal Engine requires some changes before it can work.

1. Go to the Unreal Engine installation path and open the GoogleLogin.java located in Engine\Plugins\Online\OnlineSubsystemGoogle\Source\ThirdParty\Android\Java\. Make the following changes:

• Go to public boolean init(String inClientId, String inServerClientId) and scroll down to uncomment .requestServerAuthCode(serverClientId).

// Configure sign-in to request the user's ID, email address, and basic
// profile. ID and basic profile are included in DEFAULT_SIGN_IN.
GoogleSignInOptions gso = new GoogleSignInOptions.Builder(GoogleSignInOptions.DEFAULT_SIGN_IN)
        .requestIdToken(serverClientId)
        .requestProfile()
        .requestServerAuthCode(serverClientId)
        .requestEmail()
        .build();
 
// Build a GoogleSignInClient with the options specified by gso.
mGoogleSignInClient = GoogleSignIn.getClient(activity. gso);

• Go to private String getAuthTokenJsonStr(GoogleSignInAccount acct). Change access_token from "androidInternal" to acct.getServerAuthCode().

private String getAuthTokenJsonStr(GoogleSignInAccount acct)
{
    if (acct != null)
    {
        return "{\access_token\":\"" + acct.getServerAuthCode() + "\"," +
                "\"refresh_token\":\"androidInternal\"," +
                "\"id_token\":\""+ acct.getIdToken() + "\"}";
    }
    return "";
}

2. Go to the Unreal Engine installation path Engine\Plugins\Online\OnlineSubsystemGoogle\Source\ and find OnlineSubsystemGoogle.Build.cs. Make the following changes:

• Go to the constructor and add bool bUsesRestfulImpl = false;.

using ...

public access OnlineSubsystemGoogle : ModuleRules
{
    public OnlineSubsystemGoogle(ReadOnlyTargetRules Target) : base(Target)
    {
        bool bUsesRestfulImpl = false;
        PrivateDefinitions.Add(item: "ONLINESUBSYSTEMGOOGLE_PACKAGE=1");
        PCHUsage = ModuleRules.PCHUsageMode.UseExplicitOrSharedPCHs;

        PrivateIncludePaths.Add(Item: "Private");

3. When you're finished, compile the C++ code again to make sure all the changes have been saved and included when packaging the Android build.

UI Implementation

The example below utilizes blueprints to implement all the Login functionalities. To create a widget for Google login, use the following steps in Unreal Editor to create a login flow.

1. Show External Login UI from the Online Subsystem GooglePlay.
2. Login with Native Platform from the Online Subsystem Google.
3. Retrieve the Server Auth Code to Login with AccelByte.

TIP

If you have already connected your Android device with your PC/laptop, you can simply run Install_AccelByteUe4SdkDemo-Android-Shipping-arm64.bat (for x64)/Install_AccelByteUe4SdkDemo-Android-Shipping-armv7.bat (for x86). This file will automatically run the installation on your device.

Nintendo

You can enable login with Nintendo credentials using the Unreal Engine OSS by following the steps below.

Prerequisites

• You must be a Nintendo Developer (opens new window) and have the Nintendo Dev Kit for deployment.
• You must have downloaded and set up the Nintendo Online Subsystem (opens new window) in your Unreal Engine environment.

Configuration

1. In BaseSwitchEngine.ini under Engine/Platforms/Switch/Config, set StartupAccountMode to Required.

2. You can now call Nintendo login using the OSS by using IOnlineSubsystem::Get()->GetIdentityInterface()->Login().

Netflix

Use the following function to retrieve the Netflix GamerAccessToken:

PS4

IMPORTANT

This configuration can only be used for PS4 games, not PS4 Cross-Gen games. For PS4 Cross-Gen games, use PS5 as the platform.

For Unity, you can get the Auth code by using NpToolkit. For Unreal Engine, you can use OnlineSubsystemPS4 which is already included in Unreal Engine.

PS5

For PS5, you can get the Auth code by using the function below. For now, only Unreal Engine is supported.

Snapchat

When Snapchat Auth is complete, the page will be redirected to <redirec_uri>?code=<logincode>. If the URL value contains BaseUrl, the login code should be available. Check every URL to ensure they have changed correctly.

Stadia

For Stadia, you can get the Auth code by requesting a user's JWT token, or you can use the Stadia Platform Support package. For now, only Unity is supported.

Steam

To get the Steam Auth ticket in Unity, use the tickets obtained from Steamworks.NET. For Unreal Engine, use the ticket obtained from Steamworks.

Twitch

For Twitch, you can get the Authentication token by using the function below:

Xbox

For Xbox, you can get the Auth token by using the function below:

Upgrade a Headless Account Using the Client SDKs

Players can upgrade a headless account by linking the headless account to their email address and creating a password.

Upgrade an Account

Use this function to initiate an account upgrade:

Verify the Player After an Account Upgrade

Verifying the player after they upgrade their account is done in two steps. First, the game will send the verification code to the player’s email. Then the verification code will be sent back to the IAM service for verification.

Send Verification Code to Email

Use this function to send the verification code to a player’s email address.

Send Verification Code from Email to IAM Service

Use this function to send the verification code from the player’s email back to the IAM Service.