How identity and authentication works - AWS GameKit
Identity and authentication workflows

You are currently viewing content for use with Unreal Engine software. See all AWS GameKit documentation

How identity and authentication works

Summary

Use the identity and authentication game feature to build player sign-in workflows into your game, generate unique player IDs and use them to verify a player's identity during gameplay, manage access to player-specific data, and add other functionality that requires player authentication. Allow players to register with an email or a valid Facebook account. Primary audience: game owners and developers who want a high-level understanding of what the identity and authentication game feature delivers and the work required to build it into their games.

The primary mechanism of the identity and authentication game feature is the unique player identity. By registering with your game, players establish a verified identity and get a unique player ID for use with your game. When players sign in to your game, AWS GameKit uses this ID to authenticate the interactions between the game client that the player is using and your game backend.

Every AWS GameKit feature relies on identity and authentication to verify that player-specific requests coming from a game client are authenticated. These game features store player-specific data in the cloud by player ID, including gameplay data, achievements, and game state saves.

Identity and authentication with AWS GameKit uses simple, secure workflows. You can implement either or both of the following methods for registering players and establishing unique player IDs:

  • Players can provide an email address and password. The sign-in workflow includes email verification, which the player must answer to complete registration. It also includes a password recovery workflow.

  • Players can sign in using Facebook as a third-party identity provider. With this option, you must set up Facebook Login for your game. The sign-in workflow redirects players to Facebook where they enter their credentials. Facebook handles the authentication and then communicates the results back to your game.

If you choose to include both sign-in methods in your game, and players provide both types of credentials, the identity and authentication can connect both logins with the same player ID.

This game feature incorporates security features such as checks for compromised credentials and account takeover protection.

Identity and authentication with AWS GameKit does not offer special support for features such as authentication challenges, custom verification emails, or user directory management. However, you can add these features and more by manually customizing your AWS resources using AWS tools. Learn more about the AWS backend solution in Identity and authentication solution architecture.

Identity and authentication workflows

For player registration, AWS GameKit supports the following scenarios:

  • Player signs in with an email/password. In this scenario, AWS GameKit automatically triggers a verification workflow, causing an email to be sent to the email address with a verification code. The player must get the verification code and enter it into a game UI to complete registration. On successful registration, a new unique player ID is created and their sign-in information is encrypted and stored.

  • Player signs in with their Facebook account. In this scenario, AWS GameKit triggers a workflow that prompts the user to go to a Facebook web page to log in. If it is successful and the game's identity and authentication backend detects that this is the first time the player has signed in to the game, a new unique player ID is created.

The player registration and sign-in workflow is as follows:

  1. In the game client, the player is presented with the option to create a new game account by either providing an email address or choosing a “Sign in with...” button and selecting an external identity provider to use.

  2. If the player enters an email address and password:

    1. AWS GameKit sends a verification email to the provided email address with a session-based confirmation code.

    2. In the game client, the player enters the confirmation code and prompts the game to confirm the registration.

    3. If confirmation succeeds, AWS GameKit creates a new player record and returns an identity token, which can be used to authorize communication between the player's game client and the game's identity and authentication backend.

  3. If the player opts to sign in with Facebook:

    1. The “Sign in with Facebook” button triggers the game to request a federated login URL for Facebook from the game's identity and authentication backend. The URL includes the game's account ID with Facebook.

    2. The game client opens the Facebook login URL in a browser, and the player logs in to their Facebook account.

    3. Facebook returns a login status. If successful, AWS GameKit creates a new player record and returns an identity token, which can be used to authorize communication between the player's game client and the game's identity and authentication backend.

  4. In the game client, the player signs in to the game using their existing game account.

  5. The game attempts to sign in the player. If the sign-in attempt is valid, AWS GameKit responds with a session-based token.

Topics