Setting Up Identity Providers #
This guide walks you through setting up identity providers and Pragma’s test provider.
Configure your identity provider #
Prerequisites:
- Before integrating with Pragma Engine, you’ll need to have set up an account with a third party provider.
Add the relevant configuration code blocks to local-dev.yml (for local testing) or one of the specific environments under your config/shard folder. For example production.yml for a production environment.
Steam #
Steam configuration
social:
pluginConfigs:
AccountService.identityProviderPlugins:
plugins:
Steam:
class: "pragma.account.SteamIdentityProviderPlugin"
config:
appId: "${steamAppId}"
steamWebAPIKey: "${steamWebApiKey}"
restrictByAppOwnership: false
restrictByAccountBan: false
playerLoginEnabled: true
operatorLoginEnabled: false
accountLinkingEnabled: true
accountUnlinkingEnabled: false
accountLinkingCooldownInDays: 0
accountLinkingOneAssociationOnly: false
showPortalLoginButton: false
visibleToOtherPlayers: true
| value | description |
|---|---|
appId | Steam numerical value used to identify a game on Steam. |
steamWebAPIKey | Authorization key used to connect with the Steam Web API. |
restrictByAppOwnership | optional Boolean determining whether to reject users if they don’t own the app or are on a timed trial. |
restrictByAccountBan | optional Boolean determining whether to reject users who have been developer banned or VAC banned. |
playerLoginEnabled | optional Boolean determining whether to establish a player session with this identity provider. |
operatorLoginEnabled | optional Boolean determining whether to establish an operator session with this identity provider. |
accountLinkingEnabled | optional Boolean determining whether you can link accounts with this identity provider. |
showPortalLoginButton | optional Boolean determining whether this login method is available on the portal login page. |
visibleToOtherPlayers | optional Boolean determining whether Steam account information is visible to other players. |
accountLinkingCooldownInDays | optional The number of days a player must wait before linking a new account. This is scoped by provider and begins once the player unlinks their account. |
accountLinkingOneAssociationOnly | optional Boolean determining whether a player can have more than one unique account from the same identity provider. If set to false, the player can unlink their current account and link a different one. |
accountUnlinkingEnabled | optional Boolean determining whether a player can unlink their account in the Player Portal. |
Epic #
Epic configuration
social:
pluginConfigs:
AccountService.identityProviderPlugins:
plugins:
Epic:
class: "pragma.account.EpicIdentityProviderPlugin"
config:
clientId: "epic-client-id"
clientSecret: "encrypted-epic-client-secret"
redirectUri: "http://localhost:11200/v1/account/oauth-redirect/EPIC"
restrictByCatalogItemOwnership: true
deploymentId: "epic-deployment-id"
sandboxId: "epic-sandbox-id"
catalogItemId: "epic-catalog-item-id"
playerLoginEnabled: true
operatorLoginEnabled: false
accountLinkingEnabled: true
accountUnlinkingEnabled: false
accountLinkingCooldownInDays: 0
accountLinkingOneAssociationOnly: false
showPortalLoginButton: false
visibleToOtherPlayers: true
| value | description |
|---|---|
clientId | Epic ID that identifies developer’s Epic app while making authorization requests. |
clientSecret | Encrypted OAuth secret for the Epic app referenced by the clientId property. |
redirectUri | optional Backend authorization endpoint that Epic uses to validate OAuth handshakes. |
restrictByCatalogItemOwnership | optional Boolean determining whether to reject users if they do not own the catalog item specified. If set to true, the following configs must be configured: sandboxId and catalogItemId. |
sandboxId | ID of the sandbox environment you’d like to validate against. |
catalogItemId | ID of the catalog item you’d like to validate against. Typically this will be the Game Item ID of your game. |
deploymentId | optional This field is only required if OAuth login is enabled (portal login). ID of the deployment you’d like to validate against. For more information, refer to Epic’s documentation on Requesting an Access Token. |
playerLoginEnabled | Boolean determining whether to establish a player session with this identity provider. |
operatorLoginEnabled | optional Boolean determining whether to establish an operator session with this identity provider. |
accountLinkingEnabled | optional Boolean determining whether you can link accounts with this identity provider. |
showPortalLoginButton | optional Boolean determining whether this login method is available on the portal login page. |
visibleToOtherPlayers | optional Boolean determining whether Epic account information is visible to other players. |
accountLinkingCooldownInDays | optional The number of days a player must wait before linking a new account. This is scoped by provider and begins once the player unlinks their account. |
accountLinkingOneAssociationOnly | optional Boolean determining whether a player can have more than one unique account from the same identity provider. If set to false, the player can unlink their current account and link a different one. |
accountUnlinkingEnabled | optional Boolean determining whether a player can unlink their account in the Player Portal. |
Discord #
Discord configuration
social:
pluginConfigs:
AccountService.identityProviderPlugins:
plugins:
Discord:
class: "pragma.account.DiscordIdentityProviderPlugin"
config:
clientId: "${discordClientId}"
clientSecret: "${discordClientSecret}"
redirectUri: "http://localhost:11000/v1/account/discord-redirect"
botToken: "${discordBotToken}"
guildId: "${guildId}"
allowedRoleIds:
1: "${RoleId1}"
2: "${RoleId2}"
playerLoginEnabled: true
operatorLoginEnabled: false
accountLinkingEnabled: true
accountUnlinkingEnabled: false
accountLinkingCooldownInDays: 0
accountLinkingOneAssociationOnly: false
showPortalLoginButton: false
visibleToOtherPlayers: false
| value | description |
|---|---|
clientId | Discord OAuth ID that identifies developer’s Discord app while making authorization requests. |
clientSecret | Encrypted OAuth secret for the Discord app referenced by the clientId property. |
redirectUri | optional Backend authorization endpoint that Discord uses to validate OAuth handshakes. |
botToken | optional Unique ID for Discord server bots. |
guildId | optional Discord-defined guild identifier. |
allowedRoleIds | optional Map of user roles that are allowed to authenticate. Discord rate limits requests using these values to 5 per second. See Discord’s Rate limits documentation for details. |
playerLoginEnabled | optional Boolean determining whether to establish a player session with this identity provider. |
operatorLoginEnabled | optional Boolean determining whether to establish an operator session with this identity provider. |
accountLinkingEnabled | optional Boolean determining whether you can link accounts with this identity provider. |
showPortalLoginButton | optional Boolean determining whether this login method is available on the portal login page. |
visibleToOtherPlayers | optional Boolean determining whether Discord account information is visible to other players. |
accountLinkingCooldownInDays | optional The number of days a player must wait before linking a new account. This is scoped by provider and begins once the player unlinks their account. |
accountLinkingOneAssociationOnly | optional Boolean determining whether a player can have more than one unique account from the same identity provider. If set to false, the player can unlink their current account and link a different one. |
accountUnlinkingEnabled | optional Boolean determining whether a player can unlink their account in the Player Portal. |
Check out the Unreal and Unity Setup Guides for Discord implementation details.
Google #
Google configuration
social:
pluginConfigs:
AccountService.identityProviderPlugins:
plugins:
Google:
class: "pragma.account.GoogleIdentityProviderPlugin"
config:
allowedDomains:
1: "${allowedDomain1}"
2: "${allowedDomain2}"
clientId: "${googleClientId}"
clientSecret: "${googleClientSecret}"
redirectUri: "http://localhost:11000/v1/account/google-redirect"
playerLoginEnabled: true
operatorLoginEnabled: false
accountLinkingEnabled: true
accountUnlinkingEnabled: false
accountLinkingCooldownInDays: 0
accountLinkingOneAssociationOnly: false
showPortalLoginButton: false
visibleToOtherPlayers: false
| value | description |
|---|---|
clientId | Google OAuth ID that identifies developer’s Google app while making authorization requests. |
clientSecret | Encrypted OAuth secret for the Google app referenced by the clientId property. |
redirectUri | optional Backend authorization endpoint that Google uses to validate OAuth handshakes. |
allowedDomains | optional Map of specific domains that are authorized for access–if this value is defined, all other domains are rejected. |
playerLoginEnabled | optional Boolean determining whether to establish a player session with this identity provider. |
operatorLoginEnabled | optional Boolean determining whether to establish an operator session with this identity provider. |
accountLinkingEnabled | optional Boolean determining whether you can link accounts with this identity provider. |
showPortalLoginButton | optional Boolean determining whether this login method is available on the portal login page. |
visibleToOtherPlayers | optional Boolean determining whether Google account information is visible to other players |
accountLinkingCooldownInDays | optional The number of days a player must wait before linking a new account. This is scoped by provider and begins once the player unlinks their account. |
accountLinkingOneAssociationOnly | optional Boolean determining whether a player can have more than one unique account from the same identity provider. If set to false, the player can unlink their current account and link a different one. |
accountUnlinkingEnabled | optional Boolean determining whether a player can unlink their account in the Player Portal. |
Check out the Google developer documentation for creating access credentials.
Google Workspace #
Google Workspace configuration
Google Workspace has been added as an identity provider to support the difference between a public google authentication and an internal one.
social:
pluginConfigs:
AccountService.identityProviderPlugins:
plugins:
GoogleWorkspace:
class: "pragma.account.GoogleWorkspaceIdentityProviderPlugin"
config:
allowedDomains:
1: "${allowedDomain1}"
2: "${allowedDomain2}"
clientId: "${googleClientId}"
clientSecret: "${googleClientSecret}"
redirectUri: "http://localhost:11000/v1/account/google-redirect"
playerLoginEnabled: false
operatorLoginEnabled: true
accountLinkingEnabled: false
accountUnlinkingEnabled: false
accountLinkingCooldownInDays: 0
accountLinkingOneAssociationOnly: false
showPortalLoginButton: true
visibleToOtherPlayers: false
| value | description |
|---|---|
clientId | Google Workspace OAuth ID that identifies developer’s Google Workspace app while making authorization requests. |
clientSecret | Encrypted OAuth secret for the Google Workspace app referenced by the clientId property. |
redirectUri | optional Backend authorization endpoint that Google Workspace uses to validate OAuth handshakes. |
allowedDomains | optional Map of specific domains that are authorized for access–if this value is defined, all other domains are rejected. |
playerLoginEnabled | optional Boolean determining whether to establish a player session with this identity provider. |
operatorLoginEnabled | optional Boolean determining whether to establish an operator session with this identity provider. |
accountLinkingEnabled | optional Boolean determining whether you can link accounts with this identity provider. |
showPortalLoginButton | optional Boolean determining whether this login method is available on the portal login page. |
visibleToOtherPlayers | optional Boolean determining whether Google Workspace account information is visible to other players. |
accountLinkingCooldownInDays | optional The number of days a player must wait before linking a new account. This is scoped by provider and begins once the player unlinks their account. |
accountLinkingOneAssociationOnly | optional Boolean determining whether a player can have more than one unique account from the same identity provider. If set to false, the player can unlink their current account and link a different one. |
accountUnlinkingEnabled | optional Boolean determining whether a player can unlink their account in the Player Portal. |
Check out the Google developer documentation for creating access credentials.
Twitch #
Twitch configuration
social:
pluginConfigs:
AccountService.identityProviderPlugins:
plugins:
Twitch:
class: "pragma.account.TwitchIdentityProviderPlugin"
config:
clientId: "${twitchClientId}"
clientSecret: "${twitchClientSecret}"
redirectUri: "http://localhost:11000/v1/account/twitch-redirect"
playerLoginEnabled: false
operatorLoginEnabled: false
accountLinkingEnabled: true
accountUnlinkingEnabled: false
accountLinkingCooldownInDays: 0
accountLinkingOneAssociationOnly: false
showPortalLoginButton: false
visibleToOtherPlayers: false
| value | description |
|---|---|
clientId | Twitch OAuth ID that identifies developer’s Twitch app while making authorization requests. |
clientSecret | Encrypted OAuth secret for the Twitch app referenced by the clientId property. |
redirectUri | optional Backend authorization endpoint that Twitch uses to validate OAuth handshakes. |
playerLoginEnabled | optional Boolean determining whether to establish a player session with this identity provider. |
operatorLoginEnabled | optional Boolean determining whether to establish an operator session with this identity provider. |
accountLinkingEnabled | optional Boolean determining whether you can link accounts with this identity provider. |
showPortalLoginButton | optional Boolean determining whether this login method is available on the portal login page. |
visibleToOtherPlayers | optional Boolean determining whether Twitch account information is visible to other players. |
accountLinkingCooldownInDays | optional The number of days a player must wait before linking a new account. This is scoped by provider and begins once the player unlinks their account. |
accountLinkingOneAssociationOnly | optional Boolean determining whether a player can have more than one unique account from the same identity provider. If set to false, the player can unlink their current account and link a different one. |
accountUnlinkingEnabled | optional Boolean determining whether a player can unlink their account in the Player Portal. |
Meta Quest #
Meta Quest
MetaQuest:
class: "pragma.account.MetaQuestIdentityProviderPlugin"
config:
appId: "APP_ID"
appCredentials: "OC|APP_ID|SECRET"
orgId: "ORG_ID"
showPortalLoginButton: true
accountLinkingEnabled: true
accountUnlinkingEnabled: false
playerLoginEnabled: true
operatorLoginEnabled: true
accountLinkingCooldownInDays: 0
accountLinkingOneAssociationOnly: false
MetaQuest:
class: "pragma.account.MetaQuestIdentityProviderPlugin"
config:
appId: "APP_ID"
appCredentials: "OC|APP_ID|SECRET"
orgId: "ORG_ID"
showPortalLoginButton: true
accountLinkingEnabled: true
accountUnlinkingEnabled: false
playerLoginEnabled: true
operatorLoginEnabled: true
accountLinkingCooldownInDays: 0
accountLinkingOneAssociationOnly: false
| value | description |
|---|---|
appId | ID that identifies developer’s Meta Quest app while making authorization requests. |
appCredentials | Secret credentials displayed in Meta Quest app. |
orgId | ID of your Meta Quest organization. |
redirectUri | optional Backend authorization endpoint that auth0 uses to validate OAuth handshakes. |
requireEmailVerification | Boolean determining whether email is required. |
playerLoginEnabled | optional Boolean determining whether to establish a player session with this identity provider. |
operatorLoginEnabled | optional Boolean determining whether to establish an operator session with this identity provider. |
accountLinkingEnabled | optional Boolean determining whether you can link accounts with this identity provider. |
showPortalLoginButton | optional Boolean determining whether this login method is available on the portal login page. |
visibleToOtherPlayers | optional Boolean determining whether Auth0 account information is visible to other players. |
accountLinkingCooldownInDays | optional The number of days a player must wait before linking a new account. This is scoped by provider and begins once the player unlinks their account. |
accountLinkingOneAssociationOnly | optional Boolean determining whether a player can have more than one unique account from the same identity provider. If set to false, the player can unlink their current account and link a different one. |
accountUnlinkingEnabled | optional Boolean determining whether a player can unlink their account in the Player Portal. |
Okta #
Okta configuration
social:
pluginConfigs:
AccountService.identityProviderPlugins:
plugins:
Okta:
class: "pragma.account.OktaIdentityProviderPlugin"
config:
clientId: "${OktaClientId}"
clientSecret: "${OktaClientSecret}"
authorizationUri: "https://your-okta-subdomain.okta.com/oauth2/v1/authorize"
tokenUri: "https://your-okta-subdomain.okta.com/oauth2/v1/token"
userInfoUri: "https://your-okta-subdomain.okta.com/oauth2/v1/userinfo"
redirectUri: "http://localhost:11000/v1/account/Okta-redirect"
requireEmailVerification: true
playerLoginEnabled: false
operatorLoginEnabled: true
accountLinkingEnabled: false
accountUnlinkingEnabled: false
accountLinkingCooldownInDays: 0
accountLinkingOneAssociationOnly: false
showPortalLoginButton: true
visibleToOtherPlayers: false
| value | description |
|---|---|
clientId | Okta OAuth ID that identifies developer’s Okta app while making authorization requests. |
clientSecret | Encrypted OAuth secret for the Okta app referenced by the clientId property. |
authorizationUri | URI the user will be sent to for authenticatication with Okta. |
tokenUri | URI to obtain an access token by sending an auth code. |
userInfoUri | URI to obtain information about the user. |
redirectUri | optional Backend authorization endpoint that Okta uses to validate OAuth handshakes. |
requireEmailVerification | Boolean determining whether email is required. |
playerLoginEnabled | optional Boolean determining whether to establish a player session with this identity provider. |
operatorLoginEnabled | optional Boolean determining whether to establish an operator session with this identity provider. |
accountLinkingEnabled | optional Boolean determining whether you can link accounts with this identity provider. |
showPortalLoginButton | optional Boolean determining whether this login method is available on the portal login page. |
visibleToOtherPlayers | optional Boolean determining whether Okta account information is visible to other players. |
accountLinkingCooldownInDays | optional The number of days a player must wait before linking a new account. This is scoped by provider and begins once the player unlinks their account. |
accountLinkingOneAssociationOnly | optional Boolean determining whether a player can have more than one unique account from the same identity provider. If set to false, the player can unlink their current account and link a different one. |
accountUnlinkingEnabled | optional Boolean determining whether a player can unlink their account in the Player Portal. |
Auth0 #
Auth0 configuration
social:
pluginConfigs:
AccountService.identityProviderPlugins:
plugins:
Twitch:
class: "pragma.account.Auth0IdentityProviderPlugin"
config:
clientId: "auth0-client-id"
clientSecret: "auth0-client-secret"
authorizationUri: "https://your-auth0-subdomain.us.auth0.com/authorize"
tokenUri: "https://your-auth0-subdomain.us.auth0.com/oauth/token"
userInfoUri: "https://your-auth0-subdomain.us.auth0.com/userinfo"
redirectUri: "https://localhost:11200/v1/oauth-redirect/auth0"
requireEmailVerification: true
playerLoginEnabled: false
operatorLoginEnabled: true
accountLinkingEnabled: false
accountUnlinkingEnabled: false
accountLinkingCooldownInDays: 0
accountLinkingOneAssociationOnly: false
showPortalLoginButton: true
visibleToOtherPlayers: false
| value | description |
|---|---|
clientId | Auth0 OAuth ID that identifies developer’s auth0 app while making authorization requests. |
clientSecret | Encrypted OAuth secret for the auth0 app referenced by the clientId property. |
authorizationUri | URI the user will be sent to for authenticatication with Auth0. |
tokenUri | URI to obtain an access token by sending an auth code. |
userInfoUri | URI to obtain information about the user. |
redirectUri | optional Backend authorization endpoint that auth0 uses to validate OAuth handshakes. |
requireEmailVerification | Boolean determining whether email is required. |
playerLoginEnabled | optional Boolean determining whether to establish a player session with this identity provider. |
operatorLoginEnabled | optional Boolean determining whether to establish an operator session with this identity provider. |
accountLinkingEnabled | optional Boolean determining whether you can link accounts with this identity provider. |
showPortalLoginButton | optional Boolean determining whether this login method is available on the portal login page. |
visibleToOtherPlayers | optional Boolean determining whether Auth0 account information is visible to other players. |
accountLinkingCooldownInDays | optional The number of days a player must wait before linking a new account. This is scoped by provider and begins once the player unlinks their account. |
accountLinkingOneAssociationOnly | optional Boolean determining whether a player can have more than one unique account from the same identity provider. If set to false, the player can unlink their current account and link a different one. |
accountUnlinkingEnabled | optional Boolean determining whether a player can unlink their account in the Player Portal. |
PlayStation #
PlayStation configuration
Pragma Engine supports PlayStation Network integration. Contact us for details.
Xbox #
Xbox configuration
Pragma Engine supports Xbox integration. Contact us for details.
For identity providers not listed, studios can implement a custom Identity Provider Plugin. See the Create Custom Identity Providers page for more information.
Inform third party platforms of Pragma OAuth redirect URIs #
Any identity provider that uses OAuth requires a list of authorized redirect URIs to allow the Pragma Engine platform to authenticate with it.
These are redirect URIs you’ll need to configure on the third party platform.
Example: Local development
For local development you’ll need to set these redirect URIs. For example if you were setting up Discord it would be:
http://localhost:11000/v1/account/discord-redirecthttp://localhost:11000/redirect/SignInDiscord
To enable authentication for the SDK or external clients:
http://localhost:11000/v1/account/{provider}-redirect
To enable Operator Portal authentication:
http://localhost:11200/redirect/SignIn{Provider}http://localhost:10200/redirect/SignIn{Provider}
To enable Player Portal authentication and account linking:
http://localhost:11000/redirect/SignIn{Provider}http://localhost:11000/redirect/Link{Provider}
Example: Deployed shard environment
For a deployed shard environment for Pragma hosting you’ll need to set these redirect URIs:
To enable users to login directly through the game client:
https://{shard}.{game_name}.{studio}.pragmaengine.com:11000/v1/account/{provider}-redirect
To enable Operator Portal authentication:
https://{shard}.internal.{game_name}.{studio}.pragmaengine.com:11200/redirect/SignIn{Provider}https://{shard}.internal.{game_name}.{studio}.pragmaengine.com:10200/redirect/SignIn{Provider}
To enable Player Portal authentication and account linking add:
https://{shard}.{game_name}.{studio}.pragmaengine.com:11000/redirect/SignIn{Provider}https://{shard}.{game_name}.{studio}.pragmaengine.com:11000/redirect/Link{Provider}
The examples for the Player Portal authentication and account linking use the Pragma default port of 11000. If you are using the standard port 443 instead you can omit the port numbers in these URIs.
Get started with Unsafe Identity Provider #
To enable the Unsafe Identity Provider, add the following:
local-dev.yml
social:
serviceConfigs:
UnsafeIdentityDaoConfig:
databaseConfig:
username: "superuser"
password: "password"
hostPortSchema: "localhost:3306/local_social_unsafe_identity_provider"
pluginConfigs:
AccountService.identityProviderPlugins:
plugins:
Unsafe:
class: "pragma.account.UnsafeIdentityProviderPlugin"
In a managed environment, reach out to your customer representative to find the proper credentials for your database.
[optional] Set account linking restrictions #
You can specify the period of a time a user must wait before linking a new account for a given provider using accountLinkingCooldownInDays. In addition, you can use accountLinkingOneAssociationOnly to determine whether or not to restrict provider types from having only one account tied to it.
%22/%3E%3Cpath%20d=%22M82%20113.698c1.821%201.063%201.834%202.78.0%203.843l-13.084%207.687a7.17%207.17.0%2001-3.284.798%207.17%207.17.0%2001-3.284-.798l-13.16-7.687c-1.821-1.063-1.834-2.78.0-3.843l13.084-7.687a7.168%207.168.0%20016.568.0L82%20113.698z%22%20fill=%22url(%23b)%22/%3E%3Cpath%20d=%22M73.16%20114.658a.985.985.0%2001.487.368%201.037%201.037.0%20010%201.186.981.981.0%2001-.486.369l-6.383%203.846a3.438%203.438.0%2001-3.198.0l-6.42-3.846a.982.982.0%2001-.486-.369%201.035%201.035.0%20010-1.186.986.986.0%2001.486-.368l6.383-3.846a3.438%203.438.0%20013.198.0l6.42%203.846z%22%20fill=%22%23fff%22/%3E%3Cpath%20d=%22M111%2048c-1.455-.642-37.943-12.532-45.55-14.5-7.607%202.022-43.495%2016.358-44.95%2017l37.504%2065.718c.106.239.291.435.524.556l5.542%203.209a3.038%203.038.0%20002.76.0l5.51-3.209c.25-.123.441-.338.535-.599L111%2048z%22%20fill=%22url(%23c)%22/%3E%3Cpath%20fill-rule=%22evenodd%22%20clip-rule=%22evenodd%22%20d=%22M109.533%2040.686c-6.925%203.665-17.69%203.562-24.4-.311-6.892-3.98-6.892-10.431.0-14.41%201.422-.822%203.026-1.473%204.737-1.955-17.595-6.637-41.42-5.496-56.87%203.424-17.72%2010.23-17.72%2026.815.0%2037.044%2017.719%2010.23%2046.447%2010.23%2064.167.0%2011.194-6.462%2015.316-15.461%2012.366-23.792z%22%20fill=%22url(%23d)%22/%3E%3Cg%20opacity=%22.7%22%20filter=%22url(%23e)%22%3E%3Ccircle%20r=%2237.046%22%20transform=%22scale(1.22477%20.70706)%20rotate(45%20-55.303%2098.057)%22%20fill=%22url(%23f)%22/%3E%3C/g%3E%3Cpath%20fill-rule=%22evenodd%22%20clip-rule=%22evenodd%22%20d=%22M96.321%2027.615a8.615%208.615.0%2001-2.019-.824c-2.848-1.644-2.848-4.31.0-5.954%201.296-.748%202.958-1.156%204.653-1.223a41.764%2041.764.0%2000-1.788-1.092c-17.72-10.23-46.448-10.23-64.168.0-17.72%2010.23-17.72%2026.814.0%2037.044s46.448%2010.23%2064.168.0c8.025-4.633%2012.416-10.57%2013.172-16.63-4.598%201.417-10.442%201.007-14.318-1.23-4.746-2.74-4.746-7.183.0-9.923.099-.057.199-.113.3-.168zm9.666-1.923a2.064%202.064.0%2001-.068.076l.139.01c-.023-.03-.047-.058-.071-.086z%22%20fill=%22url(%23g)%22/%3E%3Ccircle%20r=%222%22%20transform=%22matrix(.86604%20.49997%20-.86604%20.49997%2062.464%2051)%22%20fill=%22%23121212%22/%3E%3Ccircle%20r=%222%22%20transform=%22matrix(.86604%20.49997%20-.86604%20.49997%2081.464%2045)%22%20fill=%22%23121212%22/%3E%3Ccircle%20r=%222%22%20transform=%22matrix(.86604%20.49997%20-.86604%20.49997%2043.642%2031)%22%20fill=%22%23121212%22/%3E%3Ccircle%20r=%222%22%20transform=%22matrix(.86604%20.49997%20-.86604%20.49997%2039.464%2045)%22%20fill=%22%23121212%22/%3E%3Ccircle%20r=%222%22%20transform=%22scale(1.22477%20.70706)%20rotate(45%20-12.95%2084.623)%22%20fill=%22%23121212%22/%3E%3Ccircle%20r=%222%22%20transform=%22matrix(.86604%20.49997%20-.86604%20.49997%2062.464%2035)%22%20fill=%22%23121212%22/%3E%3Cdefs%3E%3ClinearGradient%20id=%22a%22%20x1=%2265.415%22%20y1=%22133.384%22%20x2=%2262.707%22%20y2=%22116.141%22%20gradientUnits=%22userSpaceOnUse%22%3E%3Cstop%20stop-color=%22%23bebebe%22/%3E%3Cstop%20offset=%221%22%20stop-color=%22%23fff%22/%3E%3C/linearGradient%3E%3ClinearGradient%20id=%22b%22%20x1=%2265.415%22%20y1=%22126.531%22%20x2=%2257.672%22%20y2=%22104.287%22%20gradientUnits=%22userSpaceOnUse%22%3E%3Cstop%20stop-color=%22%23bebebe%22/%3E%3Cstop%20offset=%221%22%20stop-color=%22%23fff%22/%3E%3C/linearGradient%3E%3ClinearGradient%20id=%22c%22%20x1=%2265.409%22%20y1=%22107.427%22%20x2=%2265.409%22%20y2=%2274.173%22%20gradientUnits=%22userSpaceOnUse%22%3E%3Cstop%20stop-color=%22%23fff%22%20stop-opacity=%22.72%22/%3E%3Cstop%20offset=%221%22%20stop-color=%22%23fff%22%20stop-opacity=%220%22/%3E%3C/linearGradient%3E%3ClinearGradient%20id=%22d%22%20x1=%2265.007%22%20y1=%2270.496%22%20x2=%2261.493%22%20y2=%22.477%22%20gradientUnits=%22userSpaceOnUse%22%3E%3Cstop%20stop-color=%22%23edf2f9%22/%3E%3Cstop%20offset=%221%22%20stop-color=%22%23fff%22%20stop-opacity=%220%22/%3E%3C/linearGradient%3E%3ClinearGradient%20id=%22f%22%20x1=%2270.425%22%20y1=%2221.274%22%20x2=%22-.284%22%20y2=%2248.41%22%20gradientUnits=%22userSpaceOnUse%22%3E%3Cstop%20stop-color=%22%231efff1%22/%3E%3Cstop%20offset=%221%22%20stop-color=%22%231548ff%22/%3E%3C/linearGradient%3E%3ClinearGradient%20id=%22g%22%20x1=%2220.05%22%20y1=%2263.78%22%20x2=%2255.07%22%20y2=%22-9.969%22%20gradientUnits=%22userSpaceOnUse%22%3E%3Cstop%20offset=%22.156%22%20stop-color=%22%231efff1%22/%3E%3Cstop%20offset=%221%22%20stop-color=%22%231548ff%22/%3E%3C/linearGradient%3E%3Cfilter%20id=%22e%22%20x=%224.71%22%20y=%226.763%22%20width=%22120.747%22%20height=%2282.388%22%20filterUnits=%22userSpaceOnUse%22%20color-interpolation-filters=%22sRGB%22%3E%3CfeFlood%20flood-opacity=%220%22%20result=%22BackgroundImageFix%22/%3E%3CfeBlend%20in=%22SourceGraphic%22%20in2=%22BackgroundImageFix%22%20result=%22shape%22/%3E%3CfeGaussianBlur%20stdDeviation=%227.5%22%20result=%22effect1_foregroundBlur%22/%3E%3C/filter%3E%3C/defs%3E%3C/svg%3E)