I've done auth with google when client auth, receive token_id, send it to server and server retrieve client account info base of that token_id. It was pretty easy because it was documented. Now I try to do with Steam but literally I have 4 rows about OpenID in steam docs. I start using an openID browser lib oidc-client-js but steam docs doesn't help me. The openID lib require this fields:
Steam docs offer just the provider, key and domain name and I really don't know where to start.
Just download an OpenID library for your language and platform of choice and use http://steamcommunity.com/openid as the provider. The returned Claimed ID will contain the user's 64-bit SteamID. The Claimed ID format is: http://steamcommunity.com/openid/id/
I get CORS Header problem because I use localhost and not a secure connection and I think I need to configure additional fields in oidc-client-js:
Any help will be appreciated.
To use OpenID to verify a user's identity: Configure your OpenID library to use the following URL as Steam's OP Endpoint URL: https://steamcommunity.com/openid/ After a user has been authenticated, the user's Claimed ID will contain the user's SteamID.
[oidc-client-js is a] library to provide OpenID Connect (OIDC) and OAuth2 protocol support for client-side, browser-based JavaScript client applications. Also included is support for user session and access token management.
In the simplest terms, OpenID Connect uses the following process to verify a user identity: First, OpenID Connect will redirect a user to an identity provider (IdP) to determine the user's identity, either by seeing if they have an active session (Single Sign On) or by asking the user to authenticate.
tl;dr: Steam is not an OpenID Connect provider
I got the exact same problem.
I tried running chrome with CORS disabled to see if it would work, I got an error from oidc-client:
SyntaxError: Unexpected token < in JSON at position 0
at JSON.parse (<anonymous>)
at XMLHttpRequest.s.onload (oidc-client.min.js?3809:1)
Which is easily understandable because https://steamcommunity.com/openid/.well-known/openid-configuration looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
<XRD>
<Service priority="0">
<Type>http://specs.openid.net/auth/2.0/server</Type>
<URI>https://steamcommunity.com/openid/login</URI>
</Service>
</XRD>
</xrds:XRDS>
Which is obviously not JSON.
The URL in the Type balise redirects to http://openid.net/specs/openid-authentication-2_0.html, which can be found in the obsolete section of the OpenID specifications page.
Additionally, you can find in the OpenID Connect Discovery specification page that
OpenID Providers supporting Discovery MUST make a JSON document available at the path formed by concatenating the string /.well-known/openid-configuration to the Issuer.
Which corroborate that the .wellknown/openid-configuration file of Steam OpenID endpoint was not made for OpenID Connect.
So I think it's safe to say that Steam is stuck to OpenID 2.0 and is not an OpenID Connect provider.
Now I have to look for an OpenID 2.0 js client, or switch for Google Sign-In.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With