Create and edit an IAM client
Overview
AccelByte Gaming Services (AGS) uses identity and access management (IAM) clients to manage which game resources can be accessed and manipulated by applications. This How-to will walk you through creating an IAM client for your game using the AGS Admin Portal.
For more information about IAM clients and how they interact with AGS, see Managing access control for applications.
Prerequisites
To manage IAM clients, you will need an AGS account with Admin Portal administrator privileges to the game namespace you wish to create an IAM client for. If you don't have access, please reach out to your AccelByte account representative.
Create an IAM Client
Follow these steps to create an IAM client, which is done directly from a game namespace in the AGS Admin Portal.
- AGS Shared Cloud
- AGS Private Cloud
In the AGS Admin Portal, go to your namespace.
On the sidebar, select Game Setup > Games and Apps > IAM Clients.
On the IAM Clients page, click on the + Create IAM Clients button. The Create IAM Client form appears.
In the General Preferences section, select a create option. Then, fill in the required information:
- Create from Template
- Create custom IAM Clients
Choose this option if you want to use a template to create an IAM client.
From the Select Template dropdown, select the template you want use:
- Game Client: used by game clients to facilitate login to AccelByte. Upon successful login, it provides a user token that grants access to various publicly available features within the AccelByte platform. Specific for the Game Client template, the 'Platform' field is also required to be filled.
- Dedicated Server: used by servers or dedicated servers (DS) to obtain a client token necessary for accessing AccelByte's administrative features.
- Dedicated Server Tools: used for uploading Dedicated Server (DS) images to the AccelByte Multiplayer Services (AMS) server and for facilitating the operation of AMS tools.
- Custom Backend Tooling: used for custom backends developed by clients themselves, it is necessary to add permissions as required, in alignment with the features available in AGS.
After selecting a template, the Client Name, Client Type, Redirect URI, and Description fields in the Client Configuration section will be auto-filled by the template.
noteThe sections and fields that appear and are pre-filled after you select a template may vary based on the template.
Fill in the required information:
Client Configuration
Client Name: type in the name for the client. The AGS system will use this name to identify the IAM client in user-facing forms and documents.
Client Type: define how the client interacts with AGS. Choose between Public and Confidential. For more information, refer to IAM client types.
Secret: this serves as the password for confidential clients. You can fill in the field manually with your own password following the recommended format, or click Generate to get the AGS system create one for you.
dangerEnsure that you keep a secure copy of the client secret. After you create the client, this will no longer be visible or accessible.
Redirect URI
- For web-based clients (such as websites or launchers), set the value to the URL that the system redirects the user to upon successful login.
- For non-web-based clients (such as game servers, game clients, or server uploaders), set the value to
http://127.0.0.1.
tipYou can add multiple URIs by clicking the + Add more button.
Platform (only applicable to Game Client template): from the dropdown, select which third-party platform the SDK client will run on. If you choose not to bind the client to any third-party platform, leave it blank.
noteThe system requires this platform information for cross-platform features. For example, cross-platform virtual currency and wallet.
Description (Optional): describe the function of the IAM Client.
Advanced Configuration: this section allows you to override behaviors for specific IAM clients. Click on Show Advanced Configuration to display the section.
Scopes: this is a mechanism in OAuth 2.0 that limits which resources an IAM Client can access. From the dropdown, select the services that you want to be accessible to the IAM client. To learn more about scopes, see the OAuth 2.0 documentation.
Scopes Service commerce Platform
Season Passaccount Basic
GDPR
IAM
Legalsocial Achievement
Chat
Cloudsave
Group
Leaderboard
Lobby
Matchmaking
Session
Session Browser
Statisticspublishing Buildinfo
Differanalytics Statistics Target Audience (Optional): this controls which services the user or application token can access, based on the purpose of this client. The client's Base URI, contained in the target audience dropdown, represents the target service.
noteThis serves as a white list to allow backend services to quickly reject connection attempts before checking client or user permissions. When the IAM client attempts to access a service endpoint, the service first checks the client's Target Audience list. The system rejects the connection attempt if the service's URI does not match the Base URI of any of the clients in the Target Audience field. If the client passes the Target Audience check, or if the client's Target Audience field is empty, the service proceeds to the next authentication step in the client's request, such as checking its permissions and scopes.
Base URI (Optional; works together with Target Audience): this is the service's identity in the audience implementation.
Override Expiration Time: switch on this toggle to override the default Access Token Expiration Time and Refresh Token Expiration Time and manually configure their values. This allows you to configure how long your players can stay logged in when they use the third-party app associated with the IAM client to log in to your player portal.
In the Permissions section, start adding permissions to the IAM client. Find the permissions that you want to add to the client. Then, for each permission, tick the boxes of the actions (Read, Create, Update, and/or Delete) that you want it to have. For easier navigation, click on Hide/Show unselected permissions. You can skip this step and proceed to step 5 to creating the IAM client. You can add and edit the permissions of an IAM client at a later time. See Add and edit IAM client permissions.
noteIf you're creating a public IAM client, this section will not appear on the form. You can only add permissions to confidential IAM clients.
Choose this option if you know what IAM client to create and the permissions you need to add to it. After selecting this option, the system displays the Client Configuration and Advanced Configuration sections.
Fill in the required information:
Client configuration
Client ID: system-generated unique ID for the IAM client. This cannot be edited.
Client Name: type in the name for the client. The AGS system will use this name to identify the IAM client in user-facing forms and documents.
Client Type: define how the client interacts with AGS. Choose between Public and Confidential. For more information, refer to IAM client types.
Secret: this serves as the password for confidential clients. You can fill in the field manually with your own password following the recommended format, or click Generate to get the AGS system create one for you.
dangerEnsure that you keep a secure copy of the client secret. After you create the client, this will no longer be visible or accessible.
Redirect URI
- For web-based clients (such as websites or launchers), set the value to the URL that the system redirects the user to upon successful login.
- For non-web-based clients (such as game servers, game clients, or server uploaders), set the value to
http://127.0.0.1.
tipYou can add multiple URIs by clicking the + Add more button.
Platform: from the dropdown, select which third-party platform the SDK client will run on. If you choose not to bind the client to any third-party platform, leave it blank.
noteThe system requires this platform information for cross-platform features. For example, cross-platform virtual currency and wallet.
Description (Optional): describe the function of the IAM Client.
Advanced Configuration: this section allows you to override behaviors for specific IAM clients. Click on Show Advanced Configuration to display the section.
Scopes: this is a mechanism in OAuth 2.0 that limits which resources an IAM Client can access. From the dropdown, select the services that you want to be accessible to the IAM client. To learn more about scopes, see the OAuth 2.0 documentation.
Scopes Service commerce Platform
Season Passaccount Basic
GDPR
IAM
Legalsocial Achievement
Chat
Cloudsave
Group
Leaderboard
Lobby
Matchmaking
Session
Session Browser
Statisticspublishing Buildinfo
Differanalytics Statistics Target Audience (Optional): this controls which services the user or application token can access, based on the purpose of this client. The client's Base URI, contained in the target audience dropdown, represents the target service.
noteThis serves as a white list to allow backend services to quickly reject connection attempts before checking client or user permissions. When the IAM client attempts to access a service endpoint, the service first checks the client's Target Audience list. The system rejects the connection attempt if the service's URI does not match the Base URI of any of the clients in the Target Audience field. If the client passes the Target Audience check, or if the client's Target Audience field is empty, the service proceeds to the next authentication step in the client's request, such as checking its permissions and scopes.
Base URI (Optional; works together with Target Audience): this is the service's identity in the audience implementation.
Override Expiration Time: switch on this toggle to override the default Access Token Expiration Time and Refresh Token Expiration Time and manually configure their values. This allows you to configure how long your players can stay logged in when they use the third-party app associated with the IAM client to log in to your player portal.
Click Create. The new IAM client is created and added to the IAM Clients list with a system-generated client ID, which cannot be edited. Proceed to adding permissions to the IAM client.
In the AGS Admin Portal, go to your namespace.
On the sidebar, select Game Setup > Games and Apps > IAM Clients.
On the IAM Clients page, click on the + Create IAM Clients button. The Create New IAM Client form appears.
Fill in the required information:
Basic Information
Client ID: system-generated unique ID for the IAM client. This cannot be edited.
Client Type: define how the client interacts with AGS. Choose between Public and Confidential. For more information, refer to IAM client types.
Secret (Only applicable to confidential type): this serves as the password for confidential clients. You can fill in the field manually with your own password following the recommended format, or click Generate to get the AGS system create one for you.
dangerEnsure that you keep a secure copy of the client secret. After you create the client, this will no longer be visible or accessible.
Client Name: type in the name for the client. The AGS system will use this name to identify the IAM client in user-facing forms and documents.
Scopes: this is a mechanism in OAuth 2.0 that limits which resources an IAM Client can access. From the dropdown, select the services that you want to be accessible to the IAM client. To learn more about scopes, see the OAuth 2.0 documentation.
Scopes Service commerce Platform
Season Passaccount Basic
GDPR
IAM
Legalsocial Achievement
Chat
Cloudsave
Group
Leaderboard
Lobby
Matchmaking
Session
Session Browser
Statisticspublishing Buildinfo
Differanalytics Statistics Redirect URI
- For web-based clients (such as websites or launchers), set the value to the URL that the system redirects the user to upon successful login.
- For non-web-based clients (such as game servers, game clients, or server uploaders), set the value to
http://127.0.0.1.
tipYou can add multiple URIs by clicking the + Add more button.
Target Audience (Optional): this controls which service endpoints the IAM client can access. The Target Audience dropdown contains a list of clients from the namespace that the IAM client is in, along with the Base URI value that the client specifies.
noteThis serves as a white list to allow backend services to quickly reject connection attempts before checking client or user permissions. When the IAM client attempts to access a service endpoint, the service first checks the client's Target Audience list. The system rejects the connection attempt if the service's URI does not match the Base URI of any of the clients in the Target Audience field. If the client passes the Target Audience check, or if the client's Target Audience field is empty, the service proceeds to the next authentication step in the client's request, such as checking its permissions and scopes.
Base URI (Optional; works together with Target Audience): if another client (Client B) will use this client (Client A) as its target audience, use the URL of Client B. If not, leave blank.
Description (Optional): describe the function of the IAM Client.
Client SDK Configuration
Platform (Optional): from the dropdown, select which third-party platform the SDK client will run on. If you choose not to bind the client to any third-party platform, leave it blank.
noteThe system requires this platform information for cross-platform features. For example, cross-platform virtual currency and wallet.
Advanced Configurations: this section allows you to override behaviors for specific IAM clients.
Two-Factor Authentication: switch on this toggle to enable two-factor authentication (2FA) for the IAM client.
Override Expiration Time: switch on this toggle to override the default Access Token Expiration Time and Refresh Token Expiration Time and manually configure their values. This allows you to configure how long your players can stay logged in when they use the third-party app associated with the IAM client to log in to your player portal.
Click Create to create the IAM client. The details page of the IAM client appears. If you created a confidential IAM client, you can proceed to adding permissions to it. See Add and edit IAM client permissions.
Edit an IAM client
- On the Admin Portal sidebar, go to Game Setup > Games and Apps > IAM Clients. The IAM Clients page appears.
- From the IAM Clients list, find the IAM client you want to edit and click on its ID to view its details.
- On the Details tab of the IAM client, click the Edit icon next to the fields you wish to edit.
- Edit the information as needed and click on the checkmark to save your changes.
Your new information will be saved to the IAM client and a pop-up message will appear in the top-right corner to confirm.
What's next?
Now that you've created an IAM client, you can begin adding permissions to it. Follow the How-to on adding permissions to an IAM client to do this.