Identity Provider Management

Overview of player identity management in the Developer Portal.

Epic Online Services (EOS) can link player accounts from multiple online stores and gaming services, called Identity Providers (or "platforms"). This enables users to share their data across different platforms they use and participate in cross-platform features like matchmaking.

Identity Providers supported by EOS:

  • Amazon

  • Apple

  • Discord

  • Epic Games*

  • GOG Galaxy

  • Google

  • itch.io

  • Nintendo

  • Oculus

  • PlayStation™ Network

  • Steam

  • Xbox Live

  • OpenID

Denoted(*) providers do not require configuration in your Developer Portal.

IdentityProviderFlow.png

Anytime a user starts an instance of your product on an enabled identity provider (shown in the flow above), the product authenticates the local user using the Connect interface.

The identity provider provides the authentication token. EOS_EExternalCredentialType and EOS_Connect_Login specify the type of the authentication token to validate the local user and which identity provider to check the token trust and validity. You may need multiple authentication tokens for products with multiple environments.

EOS verifies the submitted token and the user's identity using the identity provider configuration to connect the user to existing product data.

If the user is playing the product for the first time on a new platform, EOS sees that the player has no data for that product on that platform. Your product client can then ask the user to proceed with their account on the current platform, create a new account for that game on that platform, or log in using another account that they have previously used to play the product.

If the user chooses to log in with an existing account from another identity provider, your product can ask the user if they want to link the two accounts. After this initial event, EOS remembers which account to use when the user plays this product, and does not prompt the user again.

Configuring Identity Providers

You can configure your product's identity providers by selecting the product you want to access, clicking Product Settings, and selecting the Identity Providers tab. You can then configure each provider with the Configure button.

After configuring an identity provider, you can enable it in any of your product's sandboxes by selecting your product, clicking Product Settings, and selecting the Environments tab. Click the Identity Providers button to configure the identity providers for your sandboxes.

OpenID Provider

If your company owns a proprietary user account system, you can also add authentication support by adding the OpenID Provider configuration to authenticate your users with the EOS SDK and use the game services in the same way as other identity providers.

The OpenID Provider verifies tokens by using the UserInfo API Endpoint or JSON Web Key Set (JWKS).

UserInfo API Endpoint

To configure the UserInfo API Endpoint, you need to specify the claim names of the JWT access token or JSON response field names for the user's account ID and display name returned by the UserInfo Endpoint.

The EOS authentication backend uses the access token passed to the EOS_Connect_Login to call the UserInfo API Endpoint.

The API endpoint uses the HTTPS protocol and either the GET or POST HTTP methods. You must also implement the following possible error responses:

HTTP Response Code

EOS_EResult Returned

Description

200 OK

EOS_Success

The access token is valid and trusted.

401 Unauthorized

EOS_Connect_ExternalTokenValidationFailed

The access token is invalid, expired, or otherwise cannot be trusted.

403 Forbidden

EOS_Connect_ExternalTokenValidationFailed

The EOS authentication backend was not allowed to make the request. Warning: This should not happen.

404 Not Found

EOS_Connect_ExternalTokenValidationFailed

The user was not found in the account system. Warning: This should not happen.

500 Internal Server Error

EOS_Connect_ExternalServiceUnvailable

Something went wrong and the authentication service could not complete the request.

JSON Web Key Set (JWKS)

The OpenID Provider uses JWKS to verify the submitted ID Tokens. For this, you need to provide a publicly accessible JWKS URL.

The user's account ID is extracted from the "sub" claim.

The expected audience value (the "aud" claim) for the ID Token must be configured along with the claim name for the user's display name.

Identity Provider specific information

Nintendo

If your game application depends on multiple Nintendo App IDs, add credential entries for each of them with their respective environments, and tick all of them to be used for the EOS Sandbox.

Oculus

By default, Rift and Quest devices are treated as two separate platforms by the Oculus ecosystem. This means that the application will see different Oculus app-scoped user IDs for users depending on the device they are using. The EOS Connect backend will still recognize the user as the same across Oculus devices, as the account linking keyring uses the Oculus organization-scoped user ID to recognize the logged in user.

If a user has logged into the application on both Oculus devices, their EOS ProductUserID will internally map to two separate Oculus app-scoped user IDs. This allows persisting the user's EOS data across Oculus devices as expected.

However, querying linked Oculus accounts of an EOS_ProductUserID will return indeterminically either of the known Oculus app-scoped user IDs. As such, the returned Oculus app-scoped user ID by EOS SDK may not match the Oculus app-scoped user ID seen by Oculus SDK. For example, EOS SDK returns the user's Rift-based app-scoped user ID while the user is currently using the Oculus Quest device.

To avoid your users having separate Oculus app-scoped user IDs across devices, you can use the Oculus App Groupings feature to enable cross-device authentication support. This makes the Oculus ecosystem to re-use the same Oculus app-scoped user ID across the Oculus devices and treating the user as one.

For more information on this, see: Oculus Cross-Device Development with App Groupings.

Steam

For user authentication across different SteamAppIDs, use the same Steam Encryption Key for all of the SteamAppIDs in the Steamworks web dashboard configuration. This allows using a single EOS credentials entry across your different Steam game builds.