Steamworks 文獻庫
使用者驗證與所有權

概覽

Steamworks 提供多個方法(Method),用於確認 Steam 使用者的身份並驗證應用程式的所有權。 本文將說明不同狀況下採用的各種驗證方法。

在 Steam 中驗證使用者

每位 Steam 使用者都能透過獨特的 64 位元數字 ID(又稱使用者的 Steam ID)進行驗證。 在 Steamworks C++ API 中,使用者的 SteamID 包含在 CSteamID 物件中。 您可以呼叫 ISteamUser::GetSteamID 獲取目前使用者的 Steam ID,然後對傳回值呼叫 CSteamID.ConvertToUint64() 獲取其 64 位元 ID。

以下驗證方法可安全驗證使用者的 Steam ID。

本文涉及的 API

工作階段票證

工作階段票證是簽名的票證,可用於在使用者遊戲用戶端與任何數量的其他遊戲用戶端之間(如 P2P 多人遊戲工作階段),或者與偵聽伺服器或專用伺服器之間(透過 ISteamGameServer API),驗證使用者身份。 這些票證也可以用於驗證當下的遊戲與相關可下載內容的所有權,決定使用者是否遭受 VAC 封鎖(詳細解說請見 Valve 防作弊機制(VAC)與遊戲封鎖)。
工作階段票證也可以透過 Steamworks Web API,在遊戲用戶端與受防護的後端伺服器之間驗證使用者身份。 前提是該安全伺服器必須能夠向 partner.steam-api.com 發送 HTTPS 要求。

加密的應用程式票證

加密的應用程式票證能在遊戲用戶端與受防護的後端伺服器之間驗證使用者身份。 與工作階段票證不同,驗證加密的應用程式票證不需要安全伺服器發送 HTTPS 要求。 安全伺服器使用一個 C++ 程式庫與一個私有的對稱金鑰來驗證票證。 The Steamworks SDK includes 32-bit and 64-bit versions of this library for Windows and Linux under the public/steam/lib directory.

Before using Encrypted Application Tickets, you must generate a private key for each title. You can do this by navigating to Edit Steamworks Settings for your application and selecting 'SDK Auth' from the 'Security' drop-down. This key will be associated with your title's AppID and any downloadable content for that title. In order to access this section of Steamworks, a user must have the "Manage Signing" permission for the relevant Application.
NOTE: These keys must be stored securely, and must not be distributed within your application in any way!

Steamworks Web API

Steam exposes an HTTP based Web API which can be used to access many Steamworks features. The API contains public methods that can be accessed from any application capable of making an HTTP request, such as game client or server. The API also contains protected methods that require authentication and are intended to be accessed from trusted back-end applications. More details on the Web API can be found here.

P2P 或遊戲伺服器

工作階段票證

使用者驗證

The following steps detail how to use Session Tickets to verify a user's identity between the user's game client (client A) and another client or game server (client B):

A few important notes about Session Tickets:

所有權驗證

When using Session Tickets, Steam will automatically verify ownership of the current AppID. If the user does not own the current AppID, then m_eAuthSessionResponse field of the ISteamUser::ValidateAuthTicketResponse_t will be set to k_EAuthSessionResponseNoLicenseOrExpired. After receiving a user's Session Ticket and passing it to ISteamUser::BeginAuthSession then, ISteamUser::UserHasLicenseForApp can be used to determine if the user owns a specific piece of downloadable content.

後端伺服器

工作階段票證與 Steamworks Web API

使用者驗證

The following steps detail how to use Session Tickets to verify a user's identity between the user's game client and a secure server:

所有權驗證

Once a user's identity has been verified, a secure server can use the ISteamUser/CheckAppOwnership Web API method to check if the user owns a particular AppID, or call ISteamUser/GetPublisherAppOwnership to retrieve a list of all user owned AppIDs that are associated with the provided Publisher Key.

加密的應用程式票證

使用者驗證

The following steps detail how to use Encrypted Application Tickets to verify a user's identity between the user's game client and a secure server:

An example implementation can be found in the Steamworks API 範例應用程式(SpaceWar) project in the SDK. Specifically CSpaceWarClient::RetrieveEncryptedAppTicket and CSpaceWarClient::OnRequestEncryptedAppTicket.

所有權驗證

Steam will only create Encrypted Application Tickets for users who own the AppID for which the ticket was created. After decrypting an Encrypted Application Ticket, the secure server can use SteamEncryptedAppTicket::BIsTicketForApp to verify the AppID of the ticket matches the title's AppID. The server can also use SteamEncryptedAppTicket::BUserOwnsAppInTicket to determine if the user owns a specific piece of 可下載內容(DLC).

基於網頁瀏覽器的 OpenID 驗證

Steam is an OpenID Provider, as described in the OpenID 2.0 specification. Inside a web browser, a third-party website can use OpenID to obtain a user's SteamID which can be used as the login credentials for the 3rd party website, or linked to an existing account on that website.

When using OpenID, the user begins in a web browser at the third-party website. When the user wishes to login/link their account to that website, using OpenID, the site directs the user to a login form on the Steam Community website. Once the user has entered their Steam login credentials, the user's web browser is automatically redirected back to the 3rd party website with some additional OpenID specific data appended to the return URL. The site's OpenID library can then use this data to verify and obtain the user's SteamID.

Steam provides the following images which may be used by 3rd party sites when linking to the Steam sign in page:
sits_large_border.png

sits_large_noborder.png

sits_small.png

使用者驗證

Steam's OpenID 2.0 implementation can be used to link a users Steam account to their account on the third-party website.
A list of open source OpenID libraries can be found at the OpenID website. To use OpenID to verify a user's identity:
  • 設定您的 OpenID 程式庫,使用以下 URL 為 Steam 的 OP 端點 URL: https://steamcommunity.com/openid/
  • 使用者經過驗證後,使用者的 Claimed ID 將包含其 Steam ID。 Steam Claimed ID 格式為:http://steamcommunity.com/openid/id/<steamid>

所有權驗證

Once a user's identity has been verified, a secure server can use the ISteamUser/CheckAppOwnership Web API method to check if the user owns a particular AppID, or call ISteamUser/GetPublisherAppOwnership to retrieve a list of all user owned AppIDs that are associated with the provided Web API Publisher Key.

範例

將第三方帳戶連結至 Steam 帳戶

Third-party accounts can be linked to Steam accounts by associating a user's SteamID with the 3rd party account.

A user's SteamID can be securely retrieved either in-game or through a web browser and once the initial association has occurred, you can safely allow access to the 3rd party account by merely verifying a user's SteamID. This eliminates the need for Steam users to do any sort of secondary login to 3rd party account systems. Additionally, if new 3rd party accounts can be automatically created and linked when a new SteamID is encountered, the Steam user will never have to be aware that a secondary authentication is taking place at all. Instead, their single Steam account can grant access to all of their games, streamlining the user experience and removing potential barriers to installing and trying new games.

從遊戲內連結

Session Tickets can be used to verify a user's identity between a game client and a secure, backend server using the Steamworks Web API:

從網頁瀏覽器連結

Steam supports the OpenID 2.0 specification so that you can allow users to securly log into their Steam accounts from your website and retrieve their SteamID. For details on how to use OpenID with Steam go to Using OpenID

所有權驗證

Once a user's identity has been verified, a secure server can use the ISteamUser/CheckAppOwnership Web API method to check if the user owns a particular AppID, or call ISteamUser/GetPublisherAppOwnership to retrieve a list of all user owned AppIDs that are associated with the provided Web API Publisher Key.

從第三方產品序號遷移至原生 Steam 所有權檢查

Steam itself has a number of ways a title can authenticate a user with, removing the need for a third-party CD key. We've compiled a list of common use cases for CD Keys and how you might implement each case natively with Steam:

存取私人論壇

You'll want to have users login directly with their Steam account using OpenID. OpenID will return the user's 64bit SteamID which can then be used with ISteamUser/CheckAppOwnership to verify the user owns your appid. More details can be found above at Linking 3rd party accounts to Steam accounts.

解鎖非 Steam、無 DRM 組建的遊戲

Use OpenID and ISteamUser/CheckAppOwnership (documented above) to unlock the content on your own site. Alternatively, you could upload the DRM-free build as optional, free DLC.

軟體可使用序號解鎖,於我自己的網站上出售

You'll want to have users login directly with their Steam account using OpenID. OpenID will return the user's 64bit SteamID which can then be used with ISteamUser/CheckAppOwnership to verify the user owns your appid. More details can be found in 將第三方帳戶連結至 Steam 帳戶 above.

為註冊您的第三方序號掉落遊戲內物品

If you are using the Steam Inventory Service, make sure the item's itemdef is configured correctly as a promo item and call ISteamInventory::AddPromoItem from the client.
If you have your own item backend, you can call ISteamUser::GetAuthSessionTicket from the game client and then use ISteamUserAuth/AuthenticateUserTicket with ISteamUser/CheckAppOwnership to verify ownership. More Information...

序號控制將解鎖軟體的哪個版本

Each version of your game should have its own AppID. From the game client, call ISteamUser::GetAuthSessionTicket and then use ISteamUserAuth/AuthenticateUserTicket with ISteamUser/CheckAppOwnership to verify ownership. More Information...