This document is about: SERVER 5
SWITCH TO

Photon Steam Authentication

Server Configuration

  • Open "deploy\NameServer\bin\NameServer.xml.config".
  • Make sure CustomAuth is enabled, Enabled needs to be true.
  • Optionally set AllowAnonymous to true or false depending on your needs. We recommend setting it to false.
  • Set AuthenticationType to "1" which is the code for Steam authentication provider type.
  • Choose any name you want, we used "Steam" for this example but you can change it.
  • Leave "AuthUrl" empty as it's required but we don't need it as the authentication endpoint is internal.
  • Find below the list of the other Steam specific mandatroy settings with their description:

XML

  <CustomAuth Enabled="true" AllowAnonymous="false">
    <AuthProviders>
      <AuthProvider Name="Steam"
        AuthenticationType="1"
        AuthUrl="">
          <CustomAttributes
            apiKeySecret="Val1"
            appid="Val2"
            verifyOwnership="true"
            verifyVacBan="true"
            verifyPubBan="true" />
      </AuthProvider>
    </AuthProviders>
  </CustomAuth>
  • apiKeySecret: Steam Publisher Web API key. Do not confuse it with Steam User Key. Read more about how to get one here.
  • appid: ID of the Steam game. You can get one after going through Steam Direct process (formerly known as Steam Greenlight).
  • verifyOwnership: Can be true or false: Whether or not to enable Ownership Verification during authentication. This allows you to verify if the user really owns (purchased the game and has it in his library) the game. This step, if enabled, will be performed just after validating the user's session ticket. Enabling this may add extra delay in authentication, so enable it only if you really need it.
  • verifyVacBan: Can be true or false: Whether or not to check if the user has been banned using Valve's Anti-Cheat (VAC) during authentication. Read more here. Enabling this may add extra delay in authentication, so enable it only if you really need it.
  • verifyPubBan: Can be true or false: Whether or not to check if the user has been banned using a Publisher Ban during authentication. Read more here. Enabling this may add extra delay in authentication, so enable it only if you really need it.
  • version: Can be 1 or 2 (default value 1). If version is set to 2 the identity parameter is used when verifying the session ticket. Leave at 1 if you don't use identity.
  • identity: Used if version is set to 2. Steamworks SDK 1.57 added GetAuthTicketForWebAPI which requires an identity parameter. Can be any string identifier (default "photon").

Client Code (Unity)

The client must use Valve's Steamworks API to get a session ticket. This ticket is proof that the client is a valid Steam user.

Steamworks.NET

Steamworks.NET is a popular free and open source Steamworks API wrapper. Follow the instructions listed on this page to import a Unity version of Steamworks.NET.

Get Ticket

Use the following code to get a session ticket using the Steamworks API and convert it to a hex encoded UTF-8 string:

C#

// hAuthTicket should be saved so you can use it to cancel the ticket as soon as you are done with it
public string GetSteamAuthTicket(out HAuthTicket hAuthTicket)
{
    byte[] ticketByteArray = new byte[1024];
    uint ticketSize;
    hAuthTicket = SteamUser.GetAuthSessionTicket(ticketByteArray, ticketByteArray.Length, out ticketSize);
    System.Array.Resize(ref ticketByteArray, (int)ticketSize);
    StringBuilder sb = new StringBuilder();
    for(int i=0; i < ticketSize; i++)
    {
        sb.AppendFormat("{0:x2}", ticketByteArray[i]);
    }
    return sb.ToString();
}

See version and identity parameters description above, if version is set to 2 GetAuthTicketForWebAPI has to be used instead of GetAuthSessionTicket.

Send Ticket

The client must send the user's session ticket (after converting it to a hex encoded UTF-8 string) as a value of a query string key "ticket".

Cancel Ticket

It is recommended to cancel or revoke the ticket once authentication is done.

Facepunch.Steamworks

Facepunch.Steamworks is yet another alternative free and open source implementation of Steamworks API. Follow the instructions listed on this page to import Facepunch.Steamworks.

Get Ticket

Use the following code to get a session ticket and convert it to a hex encoded UTF-8 string:

C#

// authTicket should be saved so you can use it to cancel the ticket as soon as you are done with it
public string GetSteamAuthTicket(out AuthTicket authTicket)
{
    authTicket = SteamUser.GetAuthSessionTicket();
    StringBuilder ticketString = new StringBuilder();
    for (int i = 0; i < authTicket.Data.Length; i++)
    {
        ticketString.AppendFormat("{0:x2}", authTicket.Data[i]);
    }
    return ticketString.ToString();
}

Send Ticket

The client must send the user's session ticket (after converting it to a hex encoded UTF-8 string) as a value of a query string key "ticket".

Cancel Ticket

It is recommended to cancel or revoke the ticket once authentication is done.

Change History

June 20, 2023:

  • Added: description for Steam identity usage
Back to top