New user account integration

Last updated on September 12, 2024

Overview

Before allowing your users to register and login, you need to set the following for new accounts:

• The acceptable user information (e.g., usernames, passwords, email addresses, etc.)
• The registration flow that you want to use
• The minimum user age for accessing your platform
• The legal agreements for the users before they can access your platform
• The third-party logins that are allowed for your platform

This article provides information and resources on how to integrate these for new user account creation for AccelByte Gaming Services (AGS) games.

IAM input validation (user information)

You can customize the validation of usernames, display names, passwords, emails, and avatars your users use in their full accounts. To learn more, see Input Validation.

Age restrictions

You can prevent account creation for users below a certain age. To learn more, see Age restrictions.

Legal agreements

You need to set up legal document(s) such as a Terms of Service (ToS), Privacy Policy, End User License Agreement (EULA), and marketing preferences so your users can agree and comply when they register. To learn more, see Legal Agreements.

Mandatory email verification

You can enable the mandatory email verification that will force users to verify their email addresses before registering, or allow them to verify after registration. To learn more, see Mandatory email verification.

Third-party logins

You can let your users use their third-party accounts to log into your game or website. To learn more, see the guide for each platform in the Authentication section.

Integration

Use the information in these sections to help you integrate account registration.

Web Application

You can use the AGS Web SDK to integrate the AGS API into your web applications.

Registration Flow

1. First, you need to fetch the input validation using the PublicGetInputValidations API. It will be used to validate user input when they register.

2. Fetch the user country using the GetCountryLocationV3 API. With the country data, you can call PublicGetCountryAgeRestrictionV3 to check the age restriction to the specific country.

3. You can have a different registration flow depending on your mandatory email verification setting.

Mandatory Email verification enabled

1. The user needs to enter their email address and send the verification code to their email using the PublicSendRegistrationCode API.

2. The user will receive the verification code on their side.

3. The user will be forced to fill the code field with the verification code that they received in their email inbox.

4. After the user fills in all of the required fields, create the user using the PublicCreateUserV4 API.

5. After the user registers successfully, you can use their email address and password input to do an account login flow, so they will be logged in automatically after they register.

Mandatory Email verification disabled

1. The user doesn't need to fill in the code field.

2. After the user fills in all of the required fields, create the user using PublicCreateUserV4 API.

3. After the user registers successfully, you can use their email address and password input to do an account login flow, so they will be logged in automatically after they register.

Login flow

1. First, you need to obtain the request_id by calling the AuthorizeV3 API. Set the basic authorization using the client credential.

2. After you got the request_id, you can continue to authenticate the user. User authentication has two login options: account login or third-party login.

Account login

3. Fetch the input validation data using the PublicGetInputValidations API.

4. The user will need to input their username or email address and password. You can validate the user input using input validation data from the previous step. If the username or email is using the wrong format, you can disable the login button to prevent them from proceeding before they adjust their input.

5. When the user inputs are using the valid formats, a user can click login. You need to call the AuthenticateV3 API.

   • user_name: it can be a username or email address
   • password: its password
   • request_id: use the request_id from the previous section

6. The browser will be redirected based on redirect_uri from the previous AuthorizeV3 request.

   • if it succeeds, the redirect URI will contain code as the query parameter.
   • When the login fails, it will redirect the user to the redirect_uri and there will be an error detail as the query parameter.

7. Exchange the token using the TokenGrantV3 API. In this case:

   • set basic authorization using the client credential
   • grant_type: use authorization_code
   • code: use the code that was obtained from the redirected URI
   • code_verifier: fill it based on the code_challenge on the AuthorizeV3 request
   • client_id: fill it based on the client_id on AuthorizeV3 request

8. When exchanged token and login is successful, it will set access_token and refresh_token. With access_token, the user can access AGS.

Third-party login

Supported third-party platforms:

- Steam
- PSN
- XBOX
- Epic Games
- Twitch
- Facebook
- Google
- Snapchat
- Discord

3. List out all active third party logins by using RetrieveAllActiveThirdPartyLoginV3 and list out all the active OIDC platform logins by using RetrieveActiveOIDCClientsV3.

4. When clicking one of the third-party logins, call AuthCodeRequestV3. Fill the platform_id based on chosen third party from the user and fill in the request_id based on the AuthorizeV3 request.

5. The user will be redirected to the third-party authentication page. After the user successfully authenticates the third-party side, the user will be redirected back to your website with the code query parameter.

6. You can use the code to authenticate the third-party using PlatformAuthenticationV3.

7. PlatformAuthenticationV3 will redirect again to your website with new code query parameter. Then, you can Exchange the token using TokenGrantV3 API. In this case:

   • grant_type: use authorization_code
   • code: use the code that was obtained from the previous section
   • code_verifier: fill it based on the code_challenge on the AuthorizeV3 request
   • client_id: fill it based on client_id on AuthorizeV3 request

8. When the exchange token and login is successful, it will set access_token and refresh_token. With the access_token, the user can access AGS.

9. When the access_token has expired, you can refresh the user token using the valid refresh_token. To refresh the token, call the TokenGrantV3 API:
   • set the basic authorization using the client credential
   • set grant_type as refresh_token
   • fill refresh_token with the user refresh token