Identity Provider Management

Overview of player identity management in the Developer Portal.

Epic Online Services (EOS) can link player accounts from multiple online stores and gaming services, called Identity Providers (or "platforms"). This enables users to share their data across different platforms they use and participate in cross-platform features like matchmaking.

Identity Providers supported by EOS:

  • Apple

  • Discord

  • Epic Games*

  • GOG Galaxy

  • Google

  • itch.io

  • Nintendo

  • Oculus

  • PlayStation™ Network

  • Steam

  • Xbox Live

  • OpenID

Denoted(*) providers do not require configuration in your Developer Portal.

IdentityProviderFlow.png

Anytime a user starts an instance of your product on an enabled identity provider (shown in the flow above), the product authenticates the local user using the Connect interface.

The identity provider provides the authentication token. EOS_EExternalCredentialType and EOS_Connect_Login specify the type of the authentication token to validate the local user and which identity provider to check the token trust and validity. You may need multiple authentication tokens for products with multiple environments.

EOS verifies the submitted token and the user's identity using the identity provider configuration to connect the user to existing product data.

If the user is playing the product for the first time on a new platform, EOS sees that the player has no data for that product on that platform. Your product client can then ask the user to proceed with their account on the current platform, create a new account for that game on that platform, or log in using another account that they have previously used to play the product.

If the user chooses to log in with an existing account from another identity provider, your product can ask the user if they want to link the two accounts. After this initial event, EOS remembers which account to use when the user plays this product, and does not prompt the user again.

Configuring Identity Providers

You can configure your product's identity providers by selecting the product you want to access, clicking Product Settings, and selecting the Identity Providers tab. You can then configure each provider with the Configure button.

After configuring an identity provider, you can enable it in any of your product's sandboxes by selecting your product, clicking Product Settings, and selecting the Environments tab. Click the Identity Providers button to configure the identity providers for your sandboxes.

OpenID Provider

If your company owns a proprietary user account system, you can also add authentication support by adding the OpenID Provider configuration to authenticate your users with the EOS SDK and use the game services in the same way as other identity providers.

The OpenID Provider verifies tokens by using the UserInfo API Endpoint or JSON Web Key Set (JWKS).

UserInfo API Endpoint

To configure the UserInfo API Endpoint, you need to specify the claim names of the JWT access token or JSON response field names for the user's account ID and display name returned by the UserInfo Endpoint.

The EOS authentication backend uses the access token passed to the EOS_Connect_Login to call the UserInfo API Endpoint.

The API endpoint uses the HTTPS protocol and either the GET or POST HTTP methods. You must also implement the following possible error responses:

HTTP Response Code

EOS_EResult Returned

Description

200 OK

EOS_Success

The access token is valid and trusted.

401 Unauthorized

EOS_Connect_ExternalTokenValidationFailed

The access token is invalid, expired, or otherwise cannot be trusted.

403 Forbidden

EOS_Connect_ExternalTokenValidationFailed

The EOS authentication backend was not allowed to make the request. Warning: This should not happen.

404 Not Found

EOS_Connect_ExternalTokenValidationFailed

The user was not found in the account system. Warning: This should not happen.

500 Internal Server Error

EOS_Connect_ExternalServiceUnvailable

Something went wrong and the authentication service could not complete the request.

JSON Web Key Set (JWKS)

The OpenID Provider uses JWKS to verify the submitted ID Tokens. For this, you need to provide a publicly accessible JWKS URL.

The user's account ID is extracted from the "sub" claim.

The expected audience value (the "aud" claim) for the ID Token must be configured along with the claim name for the user's display name.