Identity Provider Management

Overview of player identity management in the Developer Portal.

Epic Online Services (EOS) has the ability to link player accounts from multiple online stores and gaming services, known as Identity Providers (sometimes referred to as "platforms"), together. This enables players to share their data, such as unlocked Achievements, across the different platforms on which they play (for example, PSN, Steam, and Xbox Live), and to participate in cross-platform features like matchmaking.

Configuring Identity Providers

You can find the list of accepted Identity Providers for your game by navigating to its Product Details page and scrolling down to the Identity Providers section. From there, you can add new Identity Providers or configure existing ones.

Click image for full size.

To securely validate the user identity of players with the each of the Identity Providers that they are logged in to a game with, the EOS backend must have a game-specific secret key from the Identity Provider that controls the account. Depending on the Identity Provider, the secret key could be an OAuth Client Credentials pair, an encryption key, or a certificate key pair for validation of the user authentication access tokens. In some cases, such as when working with a game that deploys to multiple environments, you may need multiple separate secret keys per each environment. For example, games often have separate Development and Production keys, and multi-platform games will have different keys for each supported platform. Be sure to name each key appropriately for their deployment types, as the added keys are later assigned for each EOS Sandbox accordingly.

OpenID Provider

If your company owns a proprietary user account system, you can also add authentication support by adding the OpenID Provider configuration. This allows you to authenticate your users with the EOS SDK and use the game services in the same way as with your other Identity Providers. The OpenID Provider configuration uses the OpenID Connect (OIDC) authentication protocol, specifically the UserInfo Endpoint to securely validate the user identity.

UserInfo Endpoint

The EOS authentication backend will call the configured UserInfo REST API Endpoint using the access token that was passed to the EOS_Connect_Login SDK API by the game client.

The API endpoint is required to use the HTTPS protocol and can use either the GET or POST HTTP Methods. It is also required to implement the following possible error responses:

HTTP Response Code

EOS_EResult returned

Description

200 OK

EOS_Success

The access token was verified to be valid and can be trusted.

401 Unauthorized

EOS_Connect_ExternalTokenValidationFailed

The access token was invalid, expired or otherwise cannot be trusted.

403 Forbidden

EOS_Connect_ExternalTokenValidationFailed

The EOS authentication backend was not allowed to make the request. This should never happen.

404 Not Found

EOS_Connect_ExternalTokenValidationFailed

The user was not found in the account system. This should never happen.

500 Internal Server Error

EOS_Connect_ExternalServiceUnavailable

Something went wrong and the authentication service was not able to complete the request.

Adding Identity Providers to Sandboxes

After setting up an Identity Provider, you can enable it in any of your Product's sandboxes. Each sandbox maintains separate configurations for Identity Providers, enabling you to use secret keys that match the deployment environments between your sandboxes and the Identity Providers' publishing platforms.

To edit which Identity Providers are enabled for a given sandbox, navigate to the Product Details page, then scroll to the Sandboxes section and click the Identity Providers button on the sandbox you want to add providers for.

Click image for full size.

To configure the OpenID Provider type, you will also need to specify the claim names of the JWT access token or JSON response field names for the user's account id and display name returned by the UserInfo Endpoint.

SDK Integration

The game authenticates the local user using the EOS Connect Interface The EOS_EExternalCredentialType enumeration value used with the EOS_Connect_Login API specifies the type of the authentication token to validate the local user with. The EOS authentication backend uses this token type to choose which Identity Provider to check the token trust and validity with.

Linking Accounts

The EOS SDK can process user authentication tokens from any Identity Provider that your game supports. This enables EOS to access the player's game data from any platform, on any platform. Any time the player starts an instance of your game on an enabled Identity Provider, the game client must get a user authentication token from that Provider and pass it to the EOS Auth Interface.

EOS then validates the user's identity and matches it with their game data, including data saved on other Identity Providers. If the player is playing the game for the first time on a new platform, EOS will see that the player has no data for that game on that platform. The game client can then ask the user to proceed with their account on the current platform, creating a new account for that game on that platform, or log in using another account that they have previously used to play the game. If the player chooses to log in with an existing account from another Identity Provider, the game can ask the user if they want to link the accounts.

After this initial event, EOS will remember which account to use when the player plays this game, and will not need to prompt the user again.