Identity Providers #

Pragma Engine enables cross-play, cross-progression, and cross-platform experiences by supporting multiple identity providers with account linking. This allows players to start on one platform and link their account when switching to another platform.

Identity providers are linked to a Pragma Engine account and used for authentication and platform-specific social integration. These accounts are isolated from player and social data to enable seamless cross-platform experiences.

Test Provider #

The Pragma Engine test provider uses the name Unsafe Provider to indicate that it’s only for internal and testing use cases and should not be enabled in production. It can also be used in load testing to allow the creation of millions of test accounts.

When run in development mode, the platform will populate the Test Provider with default accounts (test01 - test20). To disable the test provider, under social set the canAuthenticate service config setting to false.

social:
  serviceConfigs:
    UnsafeIdentityDaoConfig:
      canAuthenticate: false

Configure Identity Providers #

Pragma Engine is highly configurable. You can enable additional plugins and custom services via the config files located in the 5-ext/config directory. Add the relevant configuration code blocks to local-dev.yml (for testing) or common.yml (for production) under the social section.

For identity providers not listed, studios can implement a custom Identity Provider Plugin. See the Custom Identity Provider concepts page for more information.

Steam configuration

value	description
`appId`	Steam numerical value used to identify a game on Steam
`steamWebAPIKey`	authorization key used to connect with the Steam Web API
`restrictByAppOwnership`	optional boolean determining whether to reject users if they don’t own the app or are on a timed trial
`restrictByAccountBan`	optional boolean determining whether to reject users who have been developer banned or VAC banned
`playerLoginEnabled`	boolean determining whether to establish a player session with this identity provider
`operatorLoginEnabled`	boolean determining whether to establish an operator session with this identity provider
`accountLinkingEnabled`	boolean determining whether you can link accounts with this identity provider
`showPortalLoginButton`	optional boolean determining whether this login method is available on the portal login page

social:
  pluginConfigs:
    AccountService.identityProviderPlugins:
      plugins:
        Steam:
          class: "pragma.account.SteamIdentityProviderPlugin"
          config:
            appId: "${steamAppId}"
            steamWebAPIKey: "${steamWebApiKey}"
            restrictByAppOwnership: false
            restrictByAccountBan: false
            playerLoginEnabled: true
            operatorLoginEnabled: false
            accountLinkingEnabled: true
            showPortalLoginButton: false

Epic configuration

value	description
`playerLoginEnabled`	boolean determining whether to establish a player session with this identity provider
`operatorLoginEnabled`	boolean determining whether to establish an operator session with this identity provider
`accountLinkingEnabled`	boolean determining whether you can link accounts with this identity provider
`showPortalLoginButton`	optional boolean determining whether this login method is available on the portal login page

social:
  pluginConfigs:
    AccountService.identityProviderPlugins:
      plugins:
        Epic:
          class: "pragma.account.EpicIdentityProviderPlugin"
          config:
            playerLoginEnabled: true
            operatorLoginEnabled: false
            accountLinkingEnabled: true
            showPortalLoginButton: false

Discord configuration

value	description
`clientId`	Discord OAuth ID that identifies developer’s Discord app while making authorization requests
`clientSecret`	encrypted OAuth secret for the Discord app referenced by the `clientId` property
`redirectUri`	backend authorization endpoint that Discord uses to validate OAuth handshakes
`botToken`	optional unique ID for Discord server bots
`guildId`	optional Discord-defined guild identifier
`allowedRoleIds`	optional map of user roles that are allowed to authenticate
`playerLoginEnabled`	boolean determining whether to establish a player session with this identity provider
`operatorLoginEnabled`	boolean determining whether to establish an operator session with this identity provider
`accountLinkingEnabled`	boolean determining whether you can link accounts with this identity provider
`showPortalLoginButton`	optional boolean determining whether this login method is available on the portal login page

social:
  pluginConfigs:
    AccountService.identityProviderPlugins:
      plugins:
        Discord:
          class: "pragma.account.DiscordIdentityProviderPlugin"
          config:
            clientId: "${discordClientId}"
            clientSecret: "${discordClientSecret}"
            redirectUri: "http://localhost:11000/v1/account/discord-redirect"
            botToken: "${discordBotToken}"
            guildId: "${guildId}"
            allowedRoleIds: 
              1: "${RoleId1}"
              2: "${RoleId2}"
            playerLoginEnabled: true
            operatorLoginEnabled: false
            accountLinkingEnabled: true
            showPortalLoginButton: false

Check out the Unreal and Unity Setup Guides for Discord implementation details.

Google configuration

value	description
`clientId`	Google OAuth ID that identifies developer’s Google app while making authorization requests
`clientSecret`	encrypted OAuth secret for the Google app referenced by the `clientId` property
`redirectUri`	backend authorization endpoint that Google uses to validate OAuth handshakes
`allowedDomains`	optional map of specific domains that are authorized for access–if this value is defined, all other domains are rejected
`playerLoginEnabled`	boolean determining whether to establish a player session with this identity provider
`operatorLoginEnabled`	boolean determining whether to establish an operator session with this identity provider
`accountLinkingEnabled`	boolean determining whether you can link accounts with this identity provider
`showPortalLoginButton`	optional boolean determining whether this login method is available on the portal login page

social:
  pluginConfigs:
    AccountService.identityProviderPlugins:
      plugins:
        Google:
          class: "pragma.account.GoogleIdentityProviderPlugin"
          config:
            allowedDomains:
              1: "${allowedDomain1}"
              2: "${allowedDomain2}"
            clientId: "${googleClientId}"
            clientSecret: "${googleClientSecret}"
            redirectUri: "http://localhost:11000/v1/account/google-redirect"
            playerLoginEnabled: true
            operatorLoginEnabled: false
            accountLinkingEnabled: true
            showPortalLoginButton: false

Check out the Google developer documentation for creating access credentials.

Google Workspace configuration

Google Workspace has been added as an identity provider to support the difference between a public google authentication and an internal one.

value	description
`clientId`	Google Workspace OAuth ID that identifies developer’s Google Workspace app while making authorization requests
`clientSecret`	encrypted OAuth secret for the Google Workspace app referenced by the `clientId` property
`redirectUri`	backend authorization endpoint that Google Workspace uses to validate OAuth handshakes
`allowedDomains`	optional map of specific domains that are authorized for access–if this value is defined, all other domains are rejected
`playerLoginEnabled`	boolean determining whether to establish a player session with this identity provider
`operatorLoginEnabled`	boolean determining whether to establish an operator session with this identity provider
`accountLinkingEnabled`	boolean determining whether you can link accounts with this identity provider
`showPortalLoginButton`	optional boolean determining whether this login method is available on the portal login page

social:
  pluginConfigs:
    AccountService.identityProviderPlugins:
      plugins:
        GoogleWorkspace:
          class: "pragma.account.GoogleWorkspaceIdentityProviderPlugin"
          config:
            allowedDomains:
              1: "${allowedDomain1}"
              2: "${allowedDomain2}"
            clientId: "${googleClientId}"
            clientSecret: "${googleClientSecret}"
            redirectUri: "http://localhost:11000/v1/account/google-redirect"
            playerLoginEnabled: false
            operatorLoginEnabled: true
            accountLinkingEnabled: false
            showPortalLoginButton: true

Check out the Google developer documentation for creating access credentials.

Twitch configuration

value	description
`clientId`	Twitch OAuth ID that identifies developer’s Twitch app while making authorization requests
`clientSecret`	encrypted OAuth secret for the Twitch app referenced by the `clientId` property
`redirectUri`	backend authorization endpoint that Twitch uses to validate OAuth handshakes
`playerLoginEnabled`	boolean determining whether to establish a player session with this identity provider
`operatorLoginEnabled`	boolean determining whether to establish an operator session with this identity provider
`accountLinkingEnabled`	boolean determining whether you can link accounts with this identity provider
`showPortalLoginButton`	optional boolean determining whether this login method is available on the portal login page

social:
  pluginConfigs:
    AccountService.identityProviderPlugins:
      plugins:
        Twitch:
          class: "pragma.account.TwitchIdentityProviderPlugin"
          config:
            clientId: "${twitchClientId}"
            clientSecret: "${twitchClientSecret}"
            redirectUri: "http://localhost:11000/v1/account/twitch-redirect"
            playerLoginEnabled: false
            operatorLoginEnabled: false
            accountLinkingEnabled: true
            showPortalLoginButton: false

Okta configuration

value	description
`clientId`	Okta OAuth ID that identifies developer’s Okta app while making authorization requests
`clientSecret`	encrypted OAuth secret for the Okta app referenced by the `clientId` property
`authorizationUri`	URI the user will be sent to for authenticatication with Okta
`tokenUri`	URI to obtain an access token by sending an auth code
`userInfoUri`	URI to obtain information about the user
`redirectUri`	backend authorization endpoint that Okta uses to validate OAuth handshakes
`requireEmailVerification`	boolean determining whether email is required
`playerLoginEnabled`	boolean determining whether to establish a player session with this identity provider
`operatorLoginEnabled`	boolean determining whether to establish an operator session with this identity provider
`accountLinkingEnabled`	boolean determining whether you can link accounts with this identity provider
`showPortalLoginButton`	optional boolean determining whether this login method is available on the portal login page

social:
  pluginConfigs:
    AccountService.identityProviderPlugins:
      plugins:
        Okta:
          class: "pragma.account.OktaIdentityProviderPlugin"
          config:
            clientId: "${OktaClientId}"
            clientSecret: "${OktaClientSecret}"
            authorizationUri: "https://your-okta-subdomain.okta.com/oauth2/v1/authorize"
            tokenUri: "https://your-okta-subdomain.okta.com/oauth2/v1/token"
            userInfoUri: "https://your-okta-subdomain.okta.com/oauth2/v1/userinfo"
            redirectUri: "http://localhost:11000/v1/account/Okta-redirect"
            requireEmailVerification: true
            playerLoginEnabled: false
            operatorLoginEnabled: true
            accountLinkingEnabled: false
            showPortalLoginButton: true

Auth0 configuration

value	description
`clientId`	auth0 OAuth ID that identifies developer’s auth0 app while making authorization requests
`clientSecret`	encrypted OAuth secret for the auth0 app referenced by the `clientId` property
`authorizationUri`	URI the user will be sent to for authenticatication with Auth0
`tokenUri`	URI to obtain an access token by sending an auth code
`userInfoUri`	URI to obtain information about the user
`redirectUri`	backend authorization endpoint that auth0 uses to validate OAuth handshakes
`requireEmailVerification`	boolean determining whether email is required
`playerLoginEnabled`	boolean determining whether to establish a player session with this identity provider
`operatorLoginEnabled`	boolean determining whether to establish an operator session with this identity provider
`accountLinkingEnabled`	boolean determining whether you can link accounts with this identity provider
`showPortalLoginButton`	optional boolean determining whether this login method is available on the portal login page

social:
  pluginConfigs:
    AccountService.identityProviderPlugins:
      plugins:
        Twitch:
          class: "pragma.account.Auth0IdentityProviderPlugin"
          config:
            clientId: "auth0-client-id"
            clientSecret: "auth0-client-secret"
            authorizationUri: "https://your-auth0-subdomain.us.auth0.com/authorize"
            tokenUri: "https://your-auth0-subdomain.us.auth0.com/oauth/token"
            userInfoUri: "https://your-auth0-subdomain.us.auth0.com/userinfo"
            redirectUri: "https://localhost:11200/v1/oauth-redirect/auth0"
            requireEmailVerification: true
            playerLoginEnabled: false
            operatorLoginEnabled: true
            accountLinkingEnabled: false
            showPortalLoginButton: true

Playstation configuration

Pragma Engine supports PlayStation Network integration. Contact us for details.

Error Types #

error type	description
`AccountService_IdProviderMissing`	Identity provider is not configured in Pragma Engine.
`AccountService_InvalidIdProvider`	Identity provider enum type does not exist in `IdProvider` or `ExtIdProvider` enums.
`AccountService_IdProviderLinkingDisabled`	`accountLinkingEnabled` config value is set to false for this identity provider.
`AccountService_IdProviderAlreadyAssociated`	Identity provider account is already linked to an existing Pragma Engine account. Ex: The same Steam account can not be linked to two separate Pragma Engine accounts.
`AccountService_AccountAlreadyBoundToProviderType`	A Pragma Engine account can not simultaneously be linked to the same identity provider type more than once. Ex: Two Steam accounts can not be linked to the same Pragma Engine account at the same time.
`AccountService_CannotUnlinkOnlyIdProvider`	Identity provider is the last one linked to Pragma Engine account. Every Pragma Engine account needs at least one identity provider associated with it to be reachable.
`AccountService_IdProviderAuthenticationDisabled`	`playerLoginEnabled` or `operatorLoginEnabled` config value is set to false for this identity provider.
`AccountService_Unauthorized`	User does not meet authorization requirements for identity provider. Ex: Only users with a specific email domain can log in.
`AccountService_Unverified`	User’s account has not been verified. Ex: email verification
`AccountService_IdProviderUnexpectedResponse`	Pragma Engine received a response from the identity provider’s API that was unexpected. Ex: Steam service is down.

View identity providers in Portal #

From the Social Pragma Portal, click Services, then click Accounts.
Click on the relevant player name to view individual account information.
View the player’s identity providers.

Unlinking an identity provider #

Removing an identity provider from an account is a permanent action and cannot be undone.

From the Social Pragma Portal, click Services, then click Accounts.
Click on the relevant player name to view individual account information.
View the player’s identity providers.
Hover over the identity provider you’d like to remove and click unlink.
Confirm you want to unlink the identity provider.

Alternatively, the following endpoints can be used to unlink an identity provider:

AccountRpc.UnlinkIdentityProviderAccountPartnerV1Request
AccountRpc.UnlinkIdentityProviderAccountServiceV1Request
AccountRpc.UnlinkIdentityProviderAccountOperatorV1Request

Filtering by identity provider #

Accounts can be filtered in Portal by identity provider. This includes identity providers that are no longer used or disabled. For example, even if login is disabled for Steam, accounts will still appear when you filter by Steam in Portal.

Contents #

Topic	Description
Custom Identity Providers	Create a custom identity provider.