We are porting our Unity3D game to Xbox One Creators program and we think about how we should integrate our own log-in system with Xbox Live.
We are currently (in standalone PC version) using our own written log-in mechanism and account management system backed by the proprietary server application. Registration is mandatory because this is a multiplayer game. In the registration, step user is needed to fill-in registration form with a chosen nickname, mail address, and password. On Xbox One, of course, we want to avoid this step and leverage existing user's Xbox Live account.
In Xbox Live SDK there is XboxLiveUser object which we get after user logs-in and we will use XboxUserId property as a way to uniquely identify the user in our system. But how can we authorize him? We understand that XboxUserId is easily available for all other games and even other users and we need some secret passphrase which we will use to authenticate against. Is there any way to get unique hash per application per Xbox live user?
We see that XboxLiveUser has method GetTokenAndSignatureAsync which returns GetTokenAndSignatureResult object which contains XboxUserHash property. Is this safe to use this string as passphrase?
The XboxUserHash property that is returned by the GetToken* methods cannot be used as a user identifier. It is likely to change each time a user authenticates with Xbox Live.
As of November 2017, there is no way for an Xbox Creators Program game to authenticate an Xbox Live user on a non-XboxLive service. The best you would be able to do would be to have your game client verify that the user can authenticate with Xbox Live and get the same XboxUserId as the one they are using to authenticate with your service.