STRIX allows games to use the authentication/authorization feature based on OAuth 2.0 specifications. The game server and the game program collectively behave as a client, one of the four roles defined by OAuth, to access a player’s identification information as a protected resource hosted by a resource server.
STRIX supports the OAuth client type of public and is based on the native application profile. It also assumes the use of authorization code grant (though you can use other grants such as the client credentials grant, if necessary, based on your client program design.)
You need a server-side setup to use the token authorization. When using Strix Cloud, check the Authorization enabled checkbox on the options page of the application dashboard. Also specify in User Resource Url the URL of the endpoint of the “service to provide user’s identification information” (such as the UserInfo endpoint of OpenID Connect) of the resource server. The format of the identification information as a protected resource is assumed to be a JSON object (like the openid schema of OpenID Connect) and to contain a “user ID” (such as "sub" claim) and a “user name” (such as "name" claim).
The actual OAuth flow will be as follows:
- The game program starts the platform’s standard web browser to access the authorization endpoint of the authorization server to have the resource owner (i.e., the player) receive an authorization code.
- The game program receives the authorization code and accesses the token endpoint of the authorization server as an OAuth client to receive an access token.
- The game program passes the access token to the SDK. (When using Strix Unity SDK, set it to StrixNetwork.instance.authorizationAccessToken. When using Strix Unreal SDK, specify it as an argument of the InitializeStrixNetworkWithHttpAccessToken function.) Then, the token will be transferred to STRIX servers during the server connection.
- STRIX servers use the token to access the resource server as an OAuth client to receive the player’s identification information which is a protected resource (from the viewpoint of OAuth).
With that, the OAuth flow finishes, but the STRIX server will issue STRIX’s own client authentication token that is used for client authentication after that. Moreover, parts of the identification information received from the resource server (i.e., the user name and the user ID) will be automatically set to room member properties when a client (player) joins a room.