The steam login is suspicious. Are you stealing my account?

Preface: You don't have to believe me, even though you can look it up and verify it in the browser and our source code. But you should consider one thing: If you don't trust us in regards to Steam, then you shouldn't install any software from us anyway, which makes the whole question pointless!

The login to Steam is used in two places: Steam linking and password reset via Steam.

In both cases the following happens (and you can verify this in your browser yourself):

  1. You click on a link that directly leads you to steam. The url starts with
  2. The link contains a "return_to" parameter, that tells Steam to redirect to our API after you logged in successfully ( with more parameters).
  3. Our API asks the Steam API if your request is valid (to verify it's actually you)
  4. We extract your Steam ID from the redirect url (Steam adds more data on redirecting - you can check this by recording the network traffic with your browser)
  5. a) On link to Steam: With your Steam ID we ask a public Steam API for the list of games you own (this is why your profile needs to be public - we are not asking in your name!). If you own the game we associate the Steam ID with your FAF account.
    b) On password reset via Steam: We lookup your FAF account using the Steam ID. Then we generate a safe token which can be used to reset the password.

The whole process uses a public internet standard called OpenID 2.0. This is also described in the Steam API documentation.

The whole OpenID 2.0 process and login just verifies who you are on Steam. At no moment in time do we get control over your account!

"Nerds have a really complicated relationship with change: Change is awesome when WE'RE the ones doing it. As soon as change is coming from outside of us it becomes untrustworthy and it threatens what we think of is the familiar."
ā€“ Benno Rice

tl;dr we ask Steam if you have the game, Steam asks you for credentials, then Steam tells us what games you have and what's your ID. We never receive your Steam credentials.