概覽

Steamworks 提供多個方法（Method），用於確認 Steam 使用者的身份並驗證應用程式的所有權。 本文將說明不同狀況下採用的各種驗證方法。

• 在遊戲用戶端與其他用戶端之間（P2P）或與遊戲伺服器間，使用工作階段票證
  
• 在遊戲用戶端與後端伺服器之間，使用：
  
  • 工作階段票證與 Steamworks Web API
    
  • 加密的應用程式票證程式庫
    
• 當玩家使用網頁瀏覽器時，使用 OpenID 與 Steamworks Web API

在 Steam 中驗證使用者

每位 Steam 使用者都能透過獨特的 64 位元數字 ID（又稱使用者的 Steam ID）進行驗證。 在 Steamworks C++ API 中，使用者的 SteamID 包含在 CSteamID 物件中。 您可以呼叫 ISteamUser::GetSteamID 獲取目前使用者的 Steam ID，然後對傳回值呼叫 CSteamID.ConvertToUint64() 獲取其 64 位元 ID。

以下驗證方法可安全驗證使用者的 Steam ID。

本文涉及的 API

工作階段票證

工作階段票證是簽名的票證，可用於在使用者遊戲用戶端與任何數量的其他遊戲用戶端之間（如 P2P 多人遊戲工作階段），或者與偵聽伺服器或專屬伺服器之間（透過 ISteamGameServer API），驗證使用者身份。 這些票證也可以用於驗證當下的遊戲與相關可下載內容的所有權，決定使用者是否遭受 VAC 封鎖（詳細解說請見 Valve 防作弊機制(VAC)與遊戲封鎖）。
工作階段票證也可以透過 Steamworks Web API，在遊戲用戶端與受防護的後端伺服器之間驗證使用者身份。 前提是該安全伺服器必須能夠向 partner.steam-api.com 發送 HTTPS 要求。

加密的應用程式票證

加密的應用程式票證能在遊戲用戶端與受防護的後端伺服器之間驗證使用者身份。 與工作階段票證不同，驗證加密的應用程式票證不需要安全伺服器發送 HTTPS 要求。 安全伺服器使用一個 C++ 程式庫與一個私有的對稱金鑰來驗證票證。 The Steamworks SDK includes 32-bit and 64-bit versions of this library for Windows and Linux under the public/steam/lib directory.

Before using Encrypted Application Tickets, you must generate a private key for each title. You can do this by navigating to Edit Steamworks Settings for your application and selecting 'SDK Auth' from the 'Security' drop-down. This key will be associated with your title's AppID and any downloadable content for that title. In order to access this section of Steamworks, a user must have the "Manage Signing" permission for the relevant Application.

Steamworks Web API

Steam exposes an HTTP based Web API which can be used to access many Steamworks features. The API contains public methods that can be accessed from any application capable of making an HTTP request, such as game client or server. The API also contains protected methods that require authentication and are intended to be accessed from trusted back-end applications. More details on the Web API can be found here.

P2P 或遊戲伺服器

工作階段票證

使用者驗證

The following steps detail how to use Session Tickets to verify a user's identity between the user's game client (client A) and another client or game server (client B):

• 用戶端 A 必須呼叫 ISteamUser::GetAuthSessionTicket 獲取一個工作階段票證
  
• 用戶端 A 必須將其工作階段票證發給用戶端 B
  
• 用戶端 B 必須將用戶端 A 的票證傳入 ISteamUser::BeginAuthSession，並進行一次快速的有效性檢查。 如果票證有效，那麼 ISteamUser::BeginAuthSession 將把票證轉發至 Steam 後端，以驗證該票證尚未被重複使用且是由用戶端 A 的帳戶擁有者頒發。驗證結果將在 ISteamUser::ValidateAuthTicketResponse_t 回呼中傳回
  
• 多人遊戲工作階段終止時：
  
  • 用戶端 A 必須將最初從 ISteamUser::GetAuthSessionTicket 傳回的控制代碼傳入 ISteamUser::CancelAuthTicket
    
  • 用戶端 B 必須將用戶端 A 的 SteamID 傳入 ISteamUser::EndAuthSession
    

A few important notes about Session Tickets:

• 工作階段票證只能使用一次。 多人遊戲工作階段中，每個要求票證的用戶端都必須呼叫 ISteamUser::GetAuthSessionTicket
  
• 在 P2P 多人遊戲工作階段中使用工作階段票證驗證玩家時，各遊戲用戶端皆應驗證在該多人遊戲工作階段中其他每個遊戲用戶端的身份
  
• 工作階段票證使用完畢後，必須為 ISteamUser::GetAuthSessionTicket 傳回的每個控制代碼呼叫 ISteamUser::CancelAuthTicket
  
• 當用戶端 A 呼叫 ISteamUser::CancelAuthTicket 時，用戶端 B 將獲取一個 ISteamUser::ValidateAuthTicketResponse_t 回呼，聲明用戶端 A 的票證不再有效
  
• 用戶端 A 與用戶端 B 一起離開遊戲時，如果在處理 B 呼叫的 ISteamUser::EndAuthSession 之前，先處理了 A 呼叫的 ISteamUser::CancelAuthTicket，那麼 B 也許會收到 ISteamUser::ValidateAuthTicketResponse_t 回呼，聲明該票證已取消。 由於雙方對於用戶端 A 的離開已有共識，因此可忽略此回呼
  
• 網路條件可能會導致 Steam 後端一直無法為 ISteamUser::BeginAuthSession 的呼叫方提供回呼。 ISteamUser::BeginAuthSession 的呼叫方（用戶端 B）在獲取此回呼之前，不能假設已知用戶端 A 的真實身份，但應允許多人遊戲工作階段繼續
  
• 如果 ISteamUser::BeginAuthSession 的呼叫方收到 ISteamUser::ValidateAuthTicketResponse_t 回呼，聲明用戶端 A 的票證無效，呼叫方必須拒絕與用戶端 A 繼續多人遊戲工作階段。如果遊戲中的其他對等機不拒絕與用戶端 A 玩遊戲 ，呼叫方應該離開該多人遊戲工作階段
  
• ISteamGameServer 暴露同樣的工作階段票證，以執行遊戲用戶端與遊戲伺服器之間的驗證

所有權驗證

When using Session Tickets, Steam will automatically verify ownership of the current AppID. If the user does not own the current AppID, then m_eAuthSessionResponse field of the ISteamUser::ValidateAuthTicketResponse_t will be set to k_EAuthSessionResponseNoLicenseOrExpired. After receiving a user's Session Ticket and passing it to ISteamUser::BeginAuthSession then, ISteamUser::UserHasLicenseForApp can be used to determine if the user owns a specific piece of downloadable content.

後端伺服器

工作階段票證與 Steamworks Web API

使用者驗證

The following steps detail how to use Session Tickets to verify a user's identity between the user's game client and a secure server:

• 用戶端必須呼叫 ISteamUser::GetAuthSessionTicket 獲取工作階段票證
  
• 要保證票證有效，用戶端必須等待 ISteamUser::GetAuthSessionTicketResponse_t 回呼
  
• 用戶端必須將其工作階段票證發給安全伺服器
  
• 安全伺服器必須向 partner.steam-api.com 發送 HTTPS 要求，並呼叫 ISteamUserAuth/AuthenticateUserTicket Web 方法，以十六進位制編碼的 UTF-8 字串傳入使用者的工作階段票證。 請注意，此方法可接受傳入與提供票證的 AppID 關聯的 Steam Web API 金鑰或 Web API 發行商金鑰。 未來此 API 更新後，若有提供 Web API 發行商金鑰，則可能可以向呼叫方傳回更多訊息
  
• 如果使用者的票證有效，那麼 ISteamUserAuth/AuthenticateUserTicket 將傳回使用者的 64 位元 SteamID

所有權驗證

Once a user's identity has been verified, a secure server can use the ISteamUser/CheckAppOwnership Web API method to check if the user owns a particular AppID, or call ISteamUser/GetPublisherAppOwnership to retrieve a list of all user owned AppIDs that are associated with the provided Publisher Key.

加密的應用程式票證

使用者驗證

The following steps detail how to use Encrypted Application Tickets to verify a user's identity between the user's game client and a secure server:

• 用戶端必須呼叫 ISteamUser::RequestEncryptedAppTicket 並等待 ISteamUser::EncryptedAppTicketResponse_t 呼叫結果
  
• 用戶端之後必須呼叫 ISteamUser::GetEncryptedAppTicket 以獲取使用者的加密票證，並將該票證發送至安全伺服器
  
• 使用加密的應用程式票證程式庫，安全伺服器接下來必須：
  
  • 呼叫 SteamEncryptedAppTicket::BDecryptTicket 為使用者票證解密
    
  • 呼叫 SteamEncryptedAppTicket::BIsTicketForApp 驗證該票證確實為期望的應用程式
    
  • 呼叫 SteamEncryptedAppTicket::GetTicketIssueTime 驗證該票證未過期（根據應用程式定義的過期時間）
    
  • 呼叫 SteamEncryptedAppTicket::GetTicketSteamID 獲取使用者的 SteamID
    

An example implementation can be found in the Steamworks API 範例應用程式（SpaceWar） project in the SDK. Specifically CSpaceWarClient::RetrieveEncryptedAppTicket and CSpaceWarClient::OnRequestEncryptedAppTicket.

所有權驗證

Steam will only create Encrypted Application Tickets for users who own the AppID for which the ticket was created. After decrypting an Encrypted Application Ticket, the secure server can use SteamEncryptedAppTicket::BIsTicketForApp to verify the AppID of the ticket matches the title's AppID. The server can also use SteamEncryptedAppTicket::BUserOwnsAppInTicket to determine if the user owns a specific piece of 可下載內容（DLC）.

基於網頁瀏覽器的 OpenID 驗證

Steam is an OpenID Provider, as described in the OpenID 2.0 specification. Inside a web browser, a third-party website can use OpenID to obtain a user's SteamID which can be used as the login credentials for the 3rd party website, or linked to an existing account on that website.

When using OpenID, the user begins in a web browser at the third-party website. When the user wishes to login/link their account to that website, using OpenID, the site directs the user to a login form on the Steam Community website. Once the user has entered their Steam login credentials, the user's web browser is automatically redirected back to the 3rd party website with some additional OpenID specific data appended to the return URL. The site's OpenID library can then use this data to verify and obtain the user's SteamID.

Steam provides the following images which may be used by 3rd party sites when linking to the Steam sign in page:

使用者驗證

Steam's OpenID 2.0 implementation can be used to link a users Steam account to their account on the third-party website.
A list of open source OpenID libraries can be found at the OpenID website. To use OpenID to verify a user's identity:

• 設定您的 OpenID 程式庫，使用以下 URL 為 Steam 的 OP 端點 URL： https://steamcommunity.com/openid/
  
• 使用者經過驗證後，使用者的 Claimed ID 將包含其 Steam ID。 Steam Claimed ID 格式為：http://steamcommunity.com/openid/id/<steamid>

所有權驗證

Once a user's identity has been verified, a secure server can use the ISteamUser/CheckAppOwnership Web API method to check if the user owns a particular AppID, or call ISteamUser/GetPublisherAppOwnership to retrieve a list of all user owned AppIDs that are associated with the provided Web API Publisher Key.

範例

將第三方帳戶連結至 Steam 帳戶

Third-party accounts can be linked to Steam accounts by associating a user's SteamID with the 3rd party account.

A user's SteamID can be securely retrieved either in-game or through a web browser and once the initial association has occurred, you can safely allow access to the 3rd party account by merely verifying a user's SteamID. This eliminates the need for Steam users to do any sort of secondary login to 3rd party account systems. Additionally, if new 3rd party accounts can be automatically created and linked when a new SteamID is encountered, the Steam user will never have to be aware that a secondary authentication is taking place at all. Instead, their single Steam account can grant access to all of their games, streamlining the user experience and removing potential barriers to installing and trying new games.

從遊戲內連結

Session Tickets can be used to verify a user's identity between a game client and a secure, backend server using the Steamworks Web API:

• 用戶端必須呼叫 ISteamUser::GetAuthSessionTicket 獲取工作階段票證
  
• 要保證票證有效，用戶端必須等待 ISteamUser::GetAuthSessionTicketResponse_t 回呼
  
• 用戶端必須將其工作階段票證發給安全伺服器
  
• 安全伺服器必須向 api.steampowered.com 發送 HTTPS 要求，並呼叫 ISteamUserAuth/AuthenticateUserTicket Web 方法，並以十六進位制編碼的 UTF-8 字串傳入使用者的工作階段票證。 請注意此方法要求與提供票證的 AppID 關聯的 Web API 開發商金鑰
  
• 如果使用者的票證有效，那麼 ISteamUserAuth/AuthenticateUserTicket 將傳回使用者的 64 位元 SteamID

從網頁瀏覽器連結

Steam supports the OpenID 2.0 specification so that you can allow users to securly log into their Steam accounts from your website and retrieve their SteamID. For details on how to use OpenID with Steam go to Using OpenID

所有權驗證

Once a user's identity has been verified, a secure server can use the ISteamUser/CheckAppOwnership Web API method to check if the user owns a particular AppID, or call ISteamUser/GetPublisherAppOwnership to retrieve a list of all user owned AppIDs that are associated with the provided Web API Publisher Key.

從第三方產品序號遷移至原生 Steam 所有權檢查

Steam itself has a number of ways a title can authenticate a user with, removing the need for a third-party CD key. We've compiled a list of common use cases for CD Keys and how you might implement each case natively with Steam:

存取私人論壇

You'll want to have users login directly with their Steam account using OpenID. OpenID will return the user's 64bit SteamID which can then be used with ISteamUser/CheckAppOwnership to verify the user owns your appid. More details can be found above at Linking 3rd party accounts to Steam accounts.

解鎖非 Steam、無 DRM 組建的遊戲

Use OpenID and ISteamUser/CheckAppOwnership (documented above) to unlock the content on your own site. Alternatively, you could upload the DRM-free build as optional, free DLC.

軟體可使用序號解鎖，於我自己的網站上出售

You'll want to have users login directly with their Steam account using OpenID. OpenID will return the user's 64bit SteamID which can then be used with ISteamUser/CheckAppOwnership to verify the user owns your appid. More details can be found in 將第三方帳戶連結至 Steam 帳戶 above.

為註冊您的第三方序號掉落遊戲內物品

If you are using the Steam Inventory Service, make sure the item's itemdef is configured correctly as a promo item and call ISteamInventory::AddPromoItem from the client.
If you have your own item backend, you can call ISteamUser::GetAuthSessionTicket from the game client and then use ISteamUserAuth/AuthenticateUserTicket with ISteamUser/CheckAppOwnership to verify ownership. More Information...

序號控制將解鎖軟體的哪個版本

Each version of your game should have its own AppID. From the game client, call ISteamUser::GetAuthSessionTicket and then use ISteamUserAuth/AuthenticateUserTicket with ISteamUser/CheckAppOwnership to verify ownership. More Information...