cancel
Showing results for 
Search instead for 
Did you mean: 

Is this possible? Plugin for a game using the games code to verify user externally using S2S.

SinfulJosh
Honored Guest
I have found similar references to this but I have not come across a direct example of what I am needing. 

There is a plugin to Beat Saber that upon completing a custom song, you are given the ability to vote up or down on if you liked it. These votes help determine the list order when players go to download custom songs for the game. To prevent abuse of the voting system we want to ensure that only those users that are licensed for the game can vote.  We have this already in steam but cannot make this work in Oculus. 

The steam method we use  is as follows:

Linking From In-game

Session Tickets can be used to verify a user's identity between a game client and a secure, backend server using the Steamworks Web API:
  • The client must retrieve a session ticket by calling ISteamUser::GetAuthSessionTicket.
  • To guarantee a valid ticket, the client must wait for the ISteamUser::GetAuthSessionTicketResponse_t callback.
  • The client must send its session ticket to the secure server.
  • The secure server must make an HTTPS request to api.steampowered.com and call the ISteamUserAuth/AuthenticateUserTicket web method, passing the user's session ticket as a hex encoded UTF-8 string. Please note that this method requires a Web API Publisher Key that is associated with the AppID for the provided ticket.
  • If the user's ticket is valid, ISteamUserAuth/AuthenticateUserTicket will return the user's 64-bit SteamID.

  

The method we thought would be the way to achieve this would be the  in oculus site documentation/unity/ps-ownership/, But in those steps it looks like it wants us to send the secret key (as part of the app access token) to an external server in order for that external server to make a connection to the oculus server api and verify ownership. This seems like a huge security flaw, or am I missing something? 

Would it not be better suited to use the user access token's that can be generated on the client side to be passed onto the external server, and that access token be used to verify ownership via oculus API? 


0 REPLIES 0