The objective of the security:

To save our resources from attackers or hackers, and give each subscriber on the system some roles to can deal with the restricted resources.

Security Ways:

to can call our web API you have mainly two ways,

by using your credentials of one of {Facebook, Steam, and WordPress} providers systems.

where the providers will return the “UserId” that will be used to check your authentication in the system, then return to you the “Access token” &”Refresh token“.

How to call the API:

To can call the API, you should make your client :

  • Support one or more of  {Facebook, Steam, and WordPress} providers.
  • Take and store the userId after logging to use it in the request of SecurityApi resource.
  • After checking from userId in the system storage, if correct will send to the caller the access token and refresh token.

in the client, you will save both of them and use the access token ( in the request header) with each request to call the API.
Note: the Access token has expiration time {now: 30 minutes} after that the API will refuse your requests, so
you will have to use the refresh token.

Refresh Token:

you will recall the SecurityApi resource to get the new access token to can use it later in each request,
the refresh token has expiration time as well {now: 1 day}, so after it expired the request to get new access token will refuse, in this time you will have to redirect your client to log in by previously mentioned providers.

How to call each type:

like in the image below that display the request parameters in the swagger tool, there are 4 parameters, to
get the Access token first time, the request will be like

BaseUrl/api/SecurityApi?UserId={userid value}&GrantType=1

where the Grant Type =1 means: Get access token by using userId.

to get the new access token after expiring first one, the request will be

BaseUrl/api/SecurityApi?GrantType=2&RefreshToken.RefreshToken={refrshtoken value}&RefreshToken.ExpirationTime={time}

where the Grant Type =2 means: Get access token by using Refresh Token.

Parameters are :
1- UserId Value => string value of user Id
2- GratType  Value => Enum value takes from 0 to 3
3- RefreshToken Value =>refresh token that saved before
4- ExpirationTime value => Expiration time of refresh token

you don’t have to fill all of them, you will pass the parameters needed depends on Grant type.


these Keys used for Encryption and decryption, and for signing and verify the message’s signature of requests
for more details about the difference between them you can read that.

the Keys have 2 types Symmetric and Asymmetric Keys we used symmetric Key in our implementation.

we don’t use it for encryption and decryption, but we use it for signing and verify the message’s signature.

How to use it in Security the API:

you need to call Security API  resource to get the public and private keys and store them in your client after that use them in creating a signature by stuff data like {Uri, date, content if any, scheme type ..etc} in string form then  sign it by private key, and send this signature with request header to get access token.
and send the public key in the request header too, to can obtain the user used this key.

 to get Public/Private Keys:
the request will be: BaseUrl /api/SecurityApi?UserId={UserId value}

to get access token by returning to the first image you will call the same resource but by the new signature message in header request.
and sending public API key.
the request will be :


where the Grant Type =3 means: Get access token by API key.

if success the API will send the Access token and refresh token
and you will follow the same way in the first way to request any other resource by access token
and both of access token and refresh token have the same expiration time previously mentioned.

Authorization Headers

In the previous two ways of API Authentication, I have written  “using the  Access token/ API key  in Authorization headers”
Well, the next Images will display, How to add the AccessToken/ API Key in the request header.

to can use access token in Authorization header property, this has two nested properties “Parameter” = value of the token, and “Scheme” = “Barear” word, so-called “Barear Token”  you should concatenate the “Barear” word with the token like in the image.

In case of using API Key to get new Access Token, you should send 3 parameters in 3 properties of request header
like the image below
Authorization : “ApiKey+ signature message”
ApiKey: “Public API key”, to know if user Id use this APIKey exist or not.
Date: “Current date of request”, this use to make sure no sniffer could steal the request and resend it again.


User Id to Player Id Relationship

in the production storage, there are tables called `Player` and `UserIdToPlayeId`
the first one uses the PlayerId (Automatic generated GUID in the system ) as Primary Key.
Row Key is a constant value “PlayerId”.
the second one uses the UserId (string value back from systems providers like Facebook, Steam, and WordPress ) as Primary Key.
Row Key is a constant value “PlayerId”.

to get player data when login by Providers like Facebook you should see if the userId found in the table `UserIdToPlayeId` or not, the take the playerId return from it, then query by it in Players to get the data.

the userId maybe has multi records in the player table, so the return one will be the highest in the level.



Views 230
War to the Core

Recent Comments

Latest Updates

  • Solo missions

    Solo missions

    Hey guys, here are the specifics of the first two solo missions, those are sketches of the first two missions. First mission: A harvester is placed near the ship, generating supply caches. The player collects energy caches and escapes a ring of mines. No supply links allowed. The sensor component is introduced by one of […]Read More »
  • We made it to the Top 100!

    We made it to the Top 100!

    We are stoked that we managed to land on IndieDB’s Indie of the Year’s Top 100 list! We are also the only MOBA that made it to the list! The support we got from the community was overwhelming, and we would like to thank each and every person that helped us get this far. Whether […]Read More »
  • Full Campaign Series, Version 3

    Full Campaign Series, Version 3

    Characters: Daniel Blaze. Protagonist, player-character. Headstrong and rebellious. Ambiguous loyalty to the Shepherd Coalition. Joseph Blaze. Father of Daniel Blaze. Commander of the Leviathan mothership until executed for treason by the Shepherd Coalition. Sylvia. AI assistant. Provides intel, advice, mission objectives. Captain Zhukov. Cyborg commander assigned to hunt down player during the first several missions. […]Read More »
  • Story: Episode 1, Version 2

    Story: Episode 1, Version 2

    The Blaze family had long been controversial. They supported the Shepherds, but continually frustrated the Orthodox elements of their faction. Joseph Blaze was especially known for his tolerance of the weakling families that used genetic engineering to alleviate the sicknesses that exposure to the Earth’s surface had inflicted on them. Such tensions between orthodoxy and […]Read More »
  • Story: Episode 1

    Story: Episode 1

    Location: The Pole Base. When Daniel Blaze passed his final test and became the primary candidate to pilot the Leviathan, the Shepherds’ newest ship, he caused a quite a stir. Not because he’s the youngest member of the Pole fleet to be nominated for admiralship, the faction had already made peace with this as a […]Read More »
Skip to toolbar