Login/Register
Setting up third-party server to interact with Game Center
Asked Answered
Solved iosauthenticationsinatragame-center
C

4

14

I'm thinking of adding a feature to my iOS game to allow players to create their own game levels, share them with other players, rate them, etc. There'd be a public repository of user-created levels, sortable by creation date, rating, difficulty, or other criteria.

This kind of functionality would necessitate a third-party server. I was thinking I'd create a RESTful API using Sinatra and run it on Heroku. My question is: what would be the best way to authenticate requests to this API? I would prefer not to require players to create a username and password. I'd like to just use Game Center's ID system.

Any suggestions? I've never done any server-side stuff before so any help is appreciated!

Clarification

Yes, I'm aware that Apple doesn't provide its own system. But it does give developers access to unique Game Center identifiers (developer.apple.com/library/mac/#documentation/…) and I was hoping I could use that somehow to roll my own authentication system without requiring users to sign on via Facebook/Twitter/etc. If that's possible.

Conclusive answered 2/4, 2013 at 3:18 Comment(0)
D
12

Looks like as of iOS 7, this is possible with Game Center using:

[localPlayer generateIdentityVerificationSignatureWithCompletionHandler]

Once you have verified the identity of the player using the generateIdentity call,

  • Associate the player id with a user on your server's db
  • Use whatever access token / authentication pattern your REST framework provides for subsequent calls

https://developer.apple.com/library/ios/documentation/GameKit/Reference/GKLocalPlayer_Ref/Reference/Reference.html

Also for reference, here is the dictionary that we end up sending off to our server based on the response from generateIdentityVerificationSignatureWithCompletionHandler

NSDictionary *paramsDict = @{
    @"publicKeyUrl":[publicKeyUrl absoluteString],
    @"timestamp":[NSString stringWithFormat:@"%llu", timestamp],
    @"signature":[signature base64EncodedStringWithOptions:0],
    @"salt":[salt base64EncodedStringWithOptions:0],
    @"playerID":localPlayer.playerID,
    @"bundleID":[[NSBundle mainBundle] bundleIdentifier]
};
Downtown answered 16/12, 2013 at 19:56 Comment(1)
Now that I've called generateIdenityVerificationSignature... and gotten back all that info and made it into a dictionary and sent it to my server, the part I'm not getting is how my server uses it to validate that I have a legitimate user signed on. To clarify, I'd like the the user to be able to log-in via GameCenter, then my server to take that information and say "ok, GameCenter's good enough for us, here's your game-data/content" similar to openID, except with GameCenter credentials. Thanks!Reis
S
4

edit: as if when I posted this there was no official solution from Apple, but there is now. See the other answers for that, or read on purely for historical / backwards-compatibility interest.

Apple doesn't provide any sort of system for using Apple ID authentication (which includes Game Center) with third-party services. You're on your own for authentication, though you could look into OAuth for allowing single-sign-on via Facebook/Twitter/etc. (Just beware that not everyone has a Facebook/Twitter/etc identity, or one that they want to use for your game.)

In theory, the playerID property on GKPlayer is unique, constant, and not known to anyone else. So, in theory, you could use it for "poor man's authentication": present it to your server, and that's all the server needs to look up and provide player-specific stuff. But this is like authentication by UDID, or by user name only -- the only security it provides is obscurity. And what happens when you have a user who's not signed into Game Center?

Slacks answered 2/4, 2013 at 5:40 Comment(3)
Yes, I'm aware that Apple doesn't provide its own system. But it does give developers access to unique Game Center identifiers (developer.apple.com/library/mac/#documentation/…) and I was hoping I could use that somehow to roll my own authentication system without requiring users to sign on via Facebook/Twitter/etc. If that's possible. Thanks!Conclusive
Is there any way for the server to determine that the request is coming from my app? If so, that plus the playerID would be good enough security for me. As far as users not signed into Game Center, that doesn't concern me so much. They'll just have to sign in to Game Center. (The alternative is that they sign into some other way, so what's the point?) Again, I'm new to all of this. Just exploring options before I dive in.Conclusive
Apple does provide this. See my answer and the docs that Andy linked to in the accepted answer.Duggan
D
2

Andy's answer is on the right track, but to finish the story: in those docs that he links to, there's an explanation of how to actually authenticate against Apple services that the GameCenter user actually is who he is claiming to be. Link to that part of the docs is below. Basically, the call on the client to generateIdentityVerificationSignatureWithCompletionHandler gives your some data including a URL. You give that data and the URL to your own server, and then from your server you can hit that URL to authenticate the user with the rest of the data that was provided by the call to generateIdentityVerificationSignatureWithCompletionHandler.

https://developer.apple.com/library/ios/documentation/GameKit/Reference/GKLocalPlayer_Ref/index.html#//apple_ref/occ/instm/GKLocalPlayer/generateIdentityVerificationSignatureWithCompletionHandler:

Duggan answered 5/8, 2015 at 17:41 Comment(0)
R
0

I had a heck of a time figuring this out. I finally used a few hints from this answer, a couple of other SO answers, the php docs and some lucky guessing to come up with this complete answer.

NOTE: This method seems very open to hacking, as anyone could sign whatever they want with their own certificate then pass the server the data, signature and URL to their certificate and get back a "that's a valid GameCenter login" answer so, while this code "works" in the sense that it implements the GC algorithm, the algorithm itself seems flawed. Ideally, we would also check that the certificate came from a trusted source. Extra-paranoia to check that it is Apple's Game Center certificate would be good, too.

Reis answered 31/10, 2015 at 14:55 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.