Skip to main content

Firebase logo

Idem directly integrates with Firebase for player authorization in player-based architectures. This allows Idem to check if clients submitting players to the matchmaking queue should be permitted to do so.

Supported authentication modes

Firebase allows a number of authentication methods:

  • Email & password
  • Federated identity provider
    • Google
    • Apple
    • Facebook
    • Twitter
    • GitHub
  • Phone number
  • Custom auth
  • Anonymous auth

The full list can be found in Firebase's documentation.

Setup

There are two parts to setting up player authorization via Firebase.

  1. Implementation on the game client side
  2. Configuration on the Idem side

We recommend to first implement the game client side and then configure Idem afterwards. As none of the client side steps will impact the acceptance of connections while the Firebase authorization is not yet configured in Idem, this allows you to safely update the clients and then turn on the Idem side when you are ready.

Game client implementation

Opening the websocket

For authorization via Firebase, the request to open the websocket connection from your game client must include an authorization parameter using the following format:

FirebaseIdToken <firebase_id_token_for_the_user>

This replaces the default value Demo described in the Setting up player based article. You can learn more about how to obtain an id token in the Firebase documentation.

Additionally, you must use players' Firebase user_id for the playerId you use to open the websocket.

Overall, this leads to the following URL and parameters for the WebSocket:

URL = WEBSOCKET_API_URL/?playerId=PLAYER_ID&code=JOIN_CODE&authorization=AUTHORIZATION
  • WEBSOCKET_API_URL: The base URL for websocket connections, e.g. wss://ws.sandbox-1.idem.gg (see websocket for more info)
  • PLAYER_ID: Firebase user_idof the player signed in to Firebase on the client
  • JOIN_CODE: Idem join code for the game mode (see Setting up player based)
  • AUTHORIZATION: FirebaseIdToken <Firebase ID token of the player> (Note the whitespace in the middle)

addPlayer requests

In oder to avoid spoofing attacks where a user opens a WebSocket with on account but is trying to play with another, you also must use players' Firebase user_id as the playerId for addPlayer submissions after the websocket is successfully opened. This allows us to check if the authenticated and thereby from our perspective authorized player is the player to be submitted to the matchmaking queue from the websocket client.

Idem configuration

We are using the Firebase JWT public keys to validate the Firebase ID token. So there is no API key required on the Idem side. But Idem is not only validating the ID token itself being a valid Firebase token, but also validates that it was created for authenticating a user for your game. To do this your Firebase project ID needs to be configured in your Idem accout.

You can find mor information about the project ID in the Firebase documentation.

To configure to project ID and turn on Firebase authorization, please reach out to match@idem.gg. They ability to do so yourself will be added to the Idem console for self-service soon.

Behavior

Once player authorization via Firebase is configured, Idem will validate the auth token whenever a client tries to open up a new websocket connection. The connection will be rejected with a 403 error, if the ID token can not be validated or no FirebaseIdToken was provided in the authorization parameter at all.

If the validation is successful, Idem will accept the websocket connection request. After that, Idem will check for each addPlayer request, that the player_id submitted is equivalent to the user_id retrieved via the auth token. If this is not the case, Idem will reject the addPlayer request.