Authenticating a Game Center player on an online game's servers

Asked 7/1, 2013 at 18:19 Answered 24/9, 2015 at 11:52

"Clash of Clans" uses Game Center to authenticate and link a player with an existing remotely stored game state.

From what I can see, a game is only provided a player identifier on client side. Is there a supported technique to securely authenticate a user instead of sending just the identifier (which is an equivalent of authenticating with just a username)?

Overrun answered 7/1, 2013 at 18:19 Comment(1)

This question has the answer: #15755989 – Amundson 23/9, 2015 at 18:51

Since I asked the question, Apple has introduced a new API and the answer is available on: Setting up third-party server to interact with Game Center (thank you, user2949759) and on a few other places.

Specifically, since iOS 7 (Apple documentation on Wayback Machine):

-[GKLocalPlayer generateIdentityVerificationSignatureWithCompletionHandler:]

Generates a signature that allows a third party server to authenticate the local player.

The relevant callback block's arguments include NSURL *publicKeyUrl, NSData *signature, NSData *salt, uint64_t timestamp. These, along with player's playerID and bundleID, should be shipped off to the server as the 'login information'.

At this point, one should, server-side, use publicKeyURL to obtain the public key
serverside, verify that this public key has been signed by Apple
serverside, concatenate UTF-8-encoded playerID, bundleID, big-endian uint64 timestamp, and verbatim salt
serverside, generate SHA-256 of the above to produce digest
serverside, verify the signature that was shipped to the server is correct, using the public key downloaded earlier, the signature and the digest

There's an example in pseudo-PHP, an example of how one would implement this in Objective-C (which makes little sense to use verbatim), a Go implementation, a Ruby implementation and there is an assortment of implementations in other languages on that same question.

Unsurprisingly, the implementation in Go seems particularly readable, but it doesn't verify that the public key was issued by Apple. Linked Ruby implementation contains a rather clear example of how to do that.

Overrun answered 24/9, 2015 at 11:52 Comment(0)

Since you are authenticating with your own server, this is something between your client and your server to implement. Game Center won't be able to help you.

A simple idea would be to calculate a hash from the playerID using a function that only you know, and have the server compare it to what the client is sending.

Avoid generating a random key when your client runs for the first time, because when the client is re-installed, the user will be locked out.

Oskar answered 7/1, 2013 at 18:38 Comment(1)

Indeed, that is one way to... slow someone down. A jailbroken device can easily be tricked into returning a different playerID -- which is precisely the reason why I'm asking for something more secure. And considering games like Clash of Clans contain Game Center-account-associated IAPs, there is even money at risk -- and this concern is why I asked. Sounds like server side auth check is a good candidate for a radar :-/ – Mnemonic 8/1, 2013 at 0:21

Recommended topics

Hot tags