Preface: You don't have to believe me, even though you can look it up and verify it in the browser and our source code. But you should consider one thing: If you don't trust us in regards to Steam, then you shouldn't install any software from us anyway, which makes the whole question pointless!
The login to Steam is used in two places: Steam linking and password reset via Steam.
In both cases the following happens (and you can verify this in your browser yourself):
- You click on a link that directly leads you to steam. The url starts with https://steamcommunity.com/openid/login
- The link contains a "return_to" parameter, that tells Steam to redirect to our API after you logged in successfully (https://api.faforever.com with more parameters).
- Our API asks the Steam API if your request is valid (to verify it's actually you)
- We extract your Steam ID from the redirect url (Steam adds more data on redirecting - you can check this by recording the network traffic with your browser)
- a) On link to Steam: With your Steam ID we ask a public Steam API for the list of games you own (this is why your profile needs to be public - we are not asking in your name!). If you own the game we associate the Steam ID with your FAF account.
b) On password reset via Steam: We lookup your FAF account using the Steam ID. Then we generate a safe token which can be used to reset the password.
The whole OpenID 2.0 process and login just verifies who you are on Steam. At no moment in time do we get control over your account!