I'm thinking of adding a feature to my iOS game to allow players to create their own game levels, share them with other players, rate them, etc. There'd be a public repository of user-created levels, sortable by creation date, rating, difficulty, or other criteria.
我正在考虑为我的iOS游戏添加一项功能,允许玩家创建自己的游戏关卡,与其他玩家分享,评分等等。有一个用户创建关卡的公共存储库,可按创建日期排序,评级,难度或其他标准。
This kind of functionality would necessitate a third-party server. I was thinking I'd create a RESTful API using Sinatra and run it on Heroku. My question is: what would be the best way to authenticate requests to this API? I would prefer not to require players to create a username and password. I'd like to just use Game Center's ID system.
这种功能需要第三方服务器。我以为我会使用Sinatra创建一个RESTful API并在Heroku上运行它。我的问题是:验证对此API的请求的最佳方法是什么?我宁愿不要求玩家创建用户名和密码。我想使用Game Center的ID系统。
Any suggestions? I've never done any server-side stuff before so any help is appreciated!
有什么建议么?我从来没有做任何服务器端的东西,所以任何帮助表示赞赏!
Clarification
Yes, I'm aware that Apple doesn't provide its own system. But it does give developers access to unique Game Center identifiers (developer.apple.com/library/mac/#documentation/…) and I was hoping I could use that somehow to roll my own authentication system without requiring users to sign on via Facebook/Twitter/etc. If that's possible.
是的,我知道Apple没有提供自己的系统。但它确实让开发人员可以访问唯一的游戏中心标识符(developer.apple.com/library/mac/#documentation/ ...),我希望我能以某种方式使用它来滚动我自己的身份验证系统,而无需用户通过Facebook登录/微博/等。如果那是可能的。
4 个解决方案
#1
11
Looks like as of iOS 7, this is possible with Game Center using:
看起来像iOS 7,这可以通过Game Center使用:
[localPlayer generateIdentityVerificationSignatureWithCompletionHandler]
Once you have verified the identity of the player using the generateIdentity call,
一旦使用generateIdentity调用验证了播放器的身份,
- Associate the player id with a user on your server's db
- Use whatever access token / authentication pattern your REST framework provides for subsequent calls
将玩家ID与服务器db上的用户相关联
使用REST框架为后续调用提供的任何访问令牌/身份验证模式
Also for reference, here is the dictionary that we end up sending off to our server based on the response from generateIdentityVerificationSignatureWithCompletionHandler
另外作为参考,这里是我们最终根据generateIdentityVerificationSignatureWithCompletionHandler的响应发送到我们的服务器的字典
NSDictionary *paramsDict = @{
@"publicKeyUrl":[publicKeyUrl absoluteString],
@"timestamp":[NSString stringWithFormat:@"%llu", timestamp],
@"signature":[signature base64EncodedStringWithOptions:0],
@"salt":[salt base64EncodedStringWithOptions:0],
@"playerID":localPlayer.playerID,
@"bundleID":[[NSBundle mainBundle] bundleIdentifier]
};
#2
4
edit: as if when I posted this there was no official solution from Apple, but there is now. See the other answers for that, or read on purely for historical / backwards-compatibility interest.
编辑:好像当我发布这个没有Apple的官方解决方案,但现在有。请参阅其他答案,或阅读纯粹的历史/向后兼容性兴趣。
Apple doesn't provide any sort of system for using Apple ID authentication (which includes Game Center) with third-party services. You're on your own for authentication, though you could look into OAuth for allowing single-sign-on via Facebook/Twitter/etc. (Just beware that not everyone has a Facebook/Twitter/etc identity, or one that they want to use for your game.)
Apple不提供任何类型的系统来使用Apple ID身份验证(包括Game Center)和第三方服务。您可以自行进行身份验证,但您可以通过Facebook / Twitter /等方式查看OAuth以进行单点登录。 (请注意,不是每个人都有Facebook / Twitter /等身份,或者他们想要为您的游戏使用的身份。)
In theory, the playerID property on GKPlayer is unique, constant, and not known to anyone else. So, in theory, you could use it for "poor man's authentication": present it to your server, and that's all the server needs to look up and provide player-specific stuff. But this is like authentication by UDID, or by user name only -- the only security it provides is obscurity. And what happens when you have a user who's not signed into Game Center?
理论上,GKPlayer上的playerID属性是唯一的,不变的,并且其他人都不知道。所以,理论上,你可以将它用于“穷人的身份验证”:将它呈现给你的服务器,这就是所有服务器需要查找并提供特定于玩家的东西。但这就像是通过UDID进行身份验证,或仅通过用户名进行身份验证 - 它提供的唯一安全措施是默默无闻。如果您的用户没有登录Game Center,会发生什么?
#3
2
Andy's answer is on the right track, but to finish the story: in those docs that he links to, there's an explanation of how to actually authenticate against Apple services that the GameCenter user actually is who he is claiming to be. Link to that part of the docs is below. Basically, the call on the client to generateIdentityVerificationSignatureWithCompletionHandler gives your some data including a URL. You give that data and the URL to your own server, and then from your server you can hit that URL to authenticate the user with the rest of the data that was provided by the call to generateIdentityVerificationSignatureWithCompletionHandler.
Andy的答案是正确的,但要完成这个故事:在他链接到的那些文档中,有一个解释说明如何对Apple服务实际验证GameCenter用户实际上是他声称的那个人。链接到该部分文档如下。基本上,客户端调用generateIdentityVerificationSignatureWithCompletionHandler会给出一些包含URL的数据。您将该数据和URL提供给您自己的服务器,然后从服务器中获取该URL,以使用对generateIdentityVerificationSignatureWithCompletionHandler的调用提供的其余数据对用户进行身份验证。
#4
0
I had a heck of a time figuring this out. I finally used a few hints from this answer, a couple of other SO answers, the php docs and some lucky guessing to come up with this complete answer.
我有一点时间搞清楚这一点。我终于使用了这个答案中的一些提示,其他几个SO答案,php文档和一些幸运的猜测来得出这个完整的答案。
NOTE: This method seems very open to hacking, as anyone could sign whatever they want with their own certificate then pass the server the data, signature and URL to their certificate and get back a "that's a valid GameCenter login" answer so, while this code "works" in the sense that it implements the GC algorithm, the algorithm itself seems flawed. Ideally, we would also check that the certificate came from a trusted source. Extra-paranoia to check that it is Apple's Game Center certificate would be good, too.
注意:此方法似乎非常容易被黑客攻击,因为任何人都可以使用自己的证书签署他们想要的任何内容,然后将服务器的数据,签名和URL传递给他们的证书并返回“这是一个有效的GameCenter登录”答案,这样,代码“工作”在它实现GC算法的意义上,算法本身似乎有缺陷。理想情况下,我们还会检查证书来自可信来源。特别偏执,检查它是Apple的游戏中心证书也是好的。
#1
11
Looks like as of iOS 7, this is possible with Game Center using:
看起来像iOS 7,这可以通过Game Center使用:
[localPlayer generateIdentityVerificationSignatureWithCompletionHandler]
Once you have verified the identity of the player using the generateIdentity call,
一旦使用generateIdentity调用验证了播放器的身份,
- Associate the player id with a user on your server's db
- Use whatever access token / authentication pattern your REST framework provides for subsequent calls
将玩家ID与服务器db上的用户相关联
使用REST框架为后续调用提供的任何访问令牌/身份验证模式
Also for reference, here is the dictionary that we end up sending off to our server based on the response from generateIdentityVerificationSignatureWithCompletionHandler
另外作为参考,这里是我们最终根据generateIdentityVerificationSignatureWithCompletionHandler的响应发送到我们的服务器的字典
NSDictionary *paramsDict = @{
@"publicKeyUrl":[publicKeyUrl absoluteString],
@"timestamp":[NSString stringWithFormat:@"%llu", timestamp],
@"signature":[signature base64EncodedStringWithOptions:0],
@"salt":[salt base64EncodedStringWithOptions:0],
@"playerID":localPlayer.playerID,
@"bundleID":[[NSBundle mainBundle] bundleIdentifier]
};
#2
4
edit: as if when I posted this there was no official solution from Apple, but there is now. See the other answers for that, or read on purely for historical / backwards-compatibility interest.
编辑:好像当我发布这个没有Apple的官方解决方案,但现在有。请参阅其他答案,或阅读纯粹的历史/向后兼容性兴趣。
Apple doesn't provide any sort of system for using Apple ID authentication (which includes Game Center) with third-party services. You're on your own for authentication, though you could look into OAuth for allowing single-sign-on via Facebook/Twitter/etc. (Just beware that not everyone has a Facebook/Twitter/etc identity, or one that they want to use for your game.)
Apple不提供任何类型的系统来使用Apple ID身份验证(包括Game Center)和第三方服务。您可以自行进行身份验证,但您可以通过Facebook / Twitter /等方式查看OAuth以进行单点登录。 (请注意,不是每个人都有Facebook / Twitter /等身份,或者他们想要为您的游戏使用的身份。)
In theory, the playerID property on GKPlayer is unique, constant, and not known to anyone else. So, in theory, you could use it for "poor man's authentication": present it to your server, and that's all the server needs to look up and provide player-specific stuff. But this is like authentication by UDID, or by user name only -- the only security it provides is obscurity. And what happens when you have a user who's not signed into Game Center?
理论上,GKPlayer上的playerID属性是唯一的,不变的,并且其他人都不知道。所以,理论上,你可以将它用于“穷人的身份验证”:将它呈现给你的服务器,这就是所有服务器需要查找并提供特定于玩家的东西。但这就像是通过UDID进行身份验证,或仅通过用户名进行身份验证 - 它提供的唯一安全措施是默默无闻。如果您的用户没有登录Game Center,会发生什么?
#3
2
Andy's answer is on the right track, but to finish the story: in those docs that he links to, there's an explanation of how to actually authenticate against Apple services that the GameCenter user actually is who he is claiming to be. Link to that part of the docs is below. Basically, the call on the client to generateIdentityVerificationSignatureWithCompletionHandler gives your some data including a URL. You give that data and the URL to your own server, and then from your server you can hit that URL to authenticate the user with the rest of the data that was provided by the call to generateIdentityVerificationSignatureWithCompletionHandler.
Andy的答案是正确的,但要完成这个故事:在他链接到的那些文档中,有一个解释说明如何对Apple服务实际验证GameCenter用户实际上是他声称的那个人。链接到该部分文档如下。基本上,客户端调用generateIdentityVerificationSignatureWithCompletionHandler会给出一些包含URL的数据。您将该数据和URL提供给您自己的服务器,然后从服务器中获取该URL,以使用对generateIdentityVerificationSignatureWithCompletionHandler的调用提供的其余数据对用户进行身份验证。
#4
0
I had a heck of a time figuring this out. I finally used a few hints from this answer, a couple of other SO answers, the php docs and some lucky guessing to come up with this complete answer.
我有一点时间搞清楚这一点。我终于使用了这个答案中的一些提示,其他几个SO答案,php文档和一些幸运的猜测来得出这个完整的答案。
NOTE: This method seems very open to hacking, as anyone could sign whatever they want with their own certificate then pass the server the data, signature and URL to their certificate and get back a "that's a valid GameCenter login" answer so, while this code "works" in the sense that it implements the GC algorithm, the algorithm itself seems flawed. Ideally, we would also check that the certificate came from a trusted source. Extra-paranoia to check that it is Apple's Game Center certificate would be good, too.
注意:此方法似乎非常容易被黑客攻击,因为任何人都可以使用自己的证书签署他们想要的任何内容,然后将服务器的数据,签名和URL传递给他们的证书并返回“这是一个有效的GameCenter登录”答案,这样,代码“工作”在它实现GC算法的意义上,算法本身似乎有缺陷。理想情况下,我们还会检查证书来自可信来源。特别偏执,检查它是Apple的游戏中心证书也是好的。