Search Unity

  1. Welcome to the Unity Forums! Please take the time to read our Code of Conduct to familiarize yourself with the forum rules and how to post constructively.
  2. We’re making changes to the Unity Runtime Fee pricing policy that we announced on September 12th. Access our latest thread for more information!
    Dismiss Notice
  3. Dismiss Notice

Question Cross auth on Apple device and webGL using Apple SignIn

Discussion in 'Authentication' started by CristiAB_PF, Apr 26, 2023.

  1. CristiAB_PF

    CristiAB_PF

    Joined:
    Oct 13, 2022
    Posts:
    18
    Hi!

    I would like to use Apple SingIn to sync the player progress on Apple devices and on browser (webGL).

    As far as I read, the only way is to use OpenID Connect together with the token received from Apple SignIn operation.

    What I do now:
    - for Apple devices I use the normal Apple SignIn process, receive the token and send it to UGS using
    SignInWithOpenIdConnectAsync. In UGS I have an OpenID Connect Identity Provider (IdentityProvider1) added with my app bundle id. Everything works perfectly, and I get user A

    - for webGL, I created my Apple account a new ServiceId, that I'm using for Apple SignIn process in browser to get the token. I send this token to UGS using SignInWithOpenIdConnectAsync.
    In UGS I have another OpenID Connect Identity Provider (IdentityProvider2) added with my serviceId bundle id. Everything works perfectly for signIn process but a new user B is created instead of linking me to user A.

    After decoding both tokens the "sub" (subject) field values are the same and I was expecting to point to the same user.

    What do I need to do to get this behaviour?

    I did the same thing previously in Playfab and it worked (but the setup for Playfab was a hell).

    Cristi
     
  2. davialbuquerque

    davialbuquerque

    Unity Technologies

    Joined:
    Jun 3, 2021
    Posts:
    3
    Hi Cristi,
    Unity Authentication scopes the external user IDs according to the providers as to avoid merging 2 users with the same ID but different providers. As such, when you create 2 OpenID Connect Identity Providers the subIDs are scoped to each one individually. If you can have a single OIDC provider in you dashboard for both the WebGL and Apple devices that would solve your issue, as they would have the same provider and same subID, recognizing the 2 devices as a single user.
     
  3. CristiAB_PF

    CristiAB_PF

    Joined:
    Oct 13, 2022
    Posts:
    18
    Thanks for reply davialbuquerque! Everything you said make sense!

    I'm not sure how to add both the WebGL (service id) and Apple devices (app id) into the same OIDC provider.
    I tried to add both in "Client ID" field separated by ";" or by " " and my singin request is rejected with 401,

    {"title":"PERMISSION_DENIED","detail":"invalid audience","details":[],"status":401}

    What's the correct way to add multiple Client IDs?
     
  4. CristiAB_PF

    CristiAB_PF

    Joined:
    Oct 13, 2022
    Posts:
    18
    Is there a way, using UGS, Apple App Id (for native app sign in with Apple) and Apple Service Id (for web sign in with Apple), to connect to the same user?

    Unfortunately, the app id and service id are unique ids, that will result in 2 OIDC entries in UGS dashboard.

    I'm blocked on this topic and, for cross-platform (ios<->web browser) this is a dead end ... looks like UGS has no support here.
     
  5. MiTschMR

    MiTschMR

    Joined:
    Aug 28, 2018
    Posts:
    339
    There is a closed beta going on for the so called "Unity Player Accounts", where a player can sign up with email/password or by using "Sign in with Apple" respectively the google equivalent. This might be what you are looking for.
     
  6. CristiAB_PF

    CristiAB_PF

    Joined:
    Oct 13, 2022
    Posts:
    18
    Thank you MiTschMR for reply! I'm looking forward to see the new feature "Sign in with Apple". I'm interested in becoming a part of this close beta :).

    Still, inside same project, UGS should group OIDC providers based on issuer and targeting the same UGS user based on sub, or to allow developers to group OIDC providers the way we need.

    Maybe Apple is a special case, but this is the way Apple is doing their sign in stuff and we need to find ways to workaround it.