FAForever Forums
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Login

    The steam login is suspicious. Are you stealing my account?

    Scheduled Pinned Locked Moved Frequently Asked Questions
    steamaccount
    2 Posts 2 Posters 4.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Brutus5000B
      Brutus5000 FAF Server Admin
      last edited by Brutus5000

      Preface: You don't have to believe me, even though you can look it up and verify it in the browser and our source code. But you should consider one thing: If you don't trust us in regards to Steam, then you shouldn't install any software from us anyway, which makes the whole question pointless!

      Usage:
      The login to Steam is used in two places: Steam linking and password reset via Steam.

      In both cases the following happens (and you can verify this in your browser yourself):

      1. You click on a link that directly leads you to steam. The url starts with https://steamcommunity.com/openid/login
      2. The link contains a "return_to" parameter, that tells Steam to redirect to our API after you logged in successfully (https://api.faforever.com with more parameters).
      3. Our API asks the Steam API if your request is valid (to verify it's actually you)
      4. We extract your Steam ID from the redirect url (Steam adds more data on redirecting - you can check this by recording the network traffic with your browser)
      5. a) On link to Steam: With your Steam ID we ask a public Steam API for the list of games you own (this is why your profile needs to be public - we are not asking in your name!). If you own the game we associate the Steam ID with your FAF account.
        b) On password reset via Steam: We lookup your FAF account using the Steam ID. Then we generate a safe token which can be used to reset the password.

      The whole process uses a public internet standard called OpenID 2.0. This is also described in the Steam API documentation.

      The whole OpenID 2.0 process and login just verifies who you are on Steam. At no moment in time do we get control over your account!

      He said, "I've been to the year 3000
      Not much has changed, but they live underwater
      And your great-great-great-granddaughter
      Is playin' FAF, playin' FAF"

      1 Reply Last reply Reply Quote 2
      • MazorNoobM
        MazorNoob
        last edited by

        tl;dr we ask Steam if you have the game, Steam asks you for credentials, then Steam tells us what games you have and what's your ID. We never receive your Steam credentials.

        1 Reply Last reply Reply Quote 0
        • Anachronism_A Anachronism_ referenced this topic on
        • Anachronism_A Anachronism_ referenced this topic on
        • Anachronism_A Anachronism_ referenced this topic on
        • Anachronism_A Anachronism_ referenced this topic on
        • Anachronism_A Anachronism_ referenced this topic on
        • Anachronism_A Anachronism_ referenced this topic on
        • Anachronism_A Anachronism_ referenced this topic on
        • First post
          Last post