My team and I are working on an open source FPS(SyntheticStars) that uses Nakama as an authoritative server. Because we want to use a username and password authentication (without mail) in Nakama and other services (like a forum in the future) we thought about creating our own custom SSO and use the Custom ID authentication. Today I was configuring Nakama and while browsing the DB (CockroachDB) I’ve noticed that the Custom IDs for authentication are saved in plain text; is this a good thing ? What is the correct way to use Custom IDs ?
Today I was also thinking that a malicious user could use the Custom ID to skip the authentication via the custom authentication system. Also, the Custom ID does not expire, so it could be used all the time
The typical use case for custom authentication is integration with another authentication service, and the pattern usually involves using a runtime before hook on the custom authentication operation.
- Clients would submit a token, code, or similar single-use string as the custom “ID”.
- The before hook would read the ID, and check it against an external system using a HTTP request or similar.
- Using the response from the external system substitute the client’s input in the custom ID field with the actual 3rd party identifier returned by the external system.
Using this approach clients cannot simply claim to be any given ID, it’s always checked.
If this approach is not desired you have two options:
- You can use custom IDs no different to device IDs, just generate long random IDs only known to the client.
- Disable authentication methods you don’t want clients to access.
Hope this helps.