Three Party User Authentication
Hello all,
I'm working on a "game" of sorts that has a centralized login and asset server with user run game servers. I'm trying to come up with a way of users to authenticate who they are to servers without exposing their passwords or other information. The issue I have right now is with spoofing.
For example:
1) The client logs in and asks the login server for a temporary authentication token.
2) The client passes this token off onto the game server.
3) The game server asks the login server if the token is valid and if it's for the person attempting to join the server
4) The token is invalidated by the login server after use.
So far, along with encrypted transport channels, it works great! The issue, however, is what stops a malicious game server from taking that token and instead of sending it to the login server, the owner of the server steals the token and uses it themselves to authenticate into the server pretending to be the original client.
Is there any way to solve this issue, or is this just an unavoidable aspect of having community run servers?
Thank you!
Your answer
Follow this Question
Related Questions
Unity login system without Photon Custom Auth 0 Answers
unity multiplayer with websocket controller running on a webserver. 0 Answers
API for multiplayer game with authoritative server? 1 Answer
Dedicated Authoritative server 0 Answers
Is there any benefit to calling NetworkTransport.Receive multiple times per tick? 0 Answers