Search code examples
steam-web-apioidc-client-js

Login with Steam OpenId(oidc-client-js)

I've done auth with google when client auth, receive token_id, send it to server and server retrieve client account info base of that token_id. It was pretty easy because it was documented. Now I try to do with Steam but literally I have 4 rows about OpenID in steam docs. I start using an openID browser lib oidc-client-js but steam docs doesn't help me. The openID lib require this fields:

  • authority
  • client_id
  • redirect_uri
  • response_type
  • scope

Steam docs offer just the provider, key and domain name and I really don't know where to start.

Just download an OpenID library for your language and platform of choice and use http://steamcommunity.com/openid as the provider. The returned Claimed ID will contain the user's 64-bit SteamID. The Claimed ID format is: http://steamcommunity.com/openid/id/

I get CORS Header problem because I use localhost and not a secure connection and I think I need to configure additional fields in oidc-client-js:

  • metadata
  • signingKeys

Any help will be appreciated.

Solution

  • tl;dr: Steam is not an OpenID Connect provider

    I got the exact same problem.

    I tried running chrome with CORS disabled to see if it would work, I got an error from oidc-client: 

    SyntaxError: Unexpected token < in JSON at position 0  
    at JSON.parse (<anonymous>)  
    at XMLHttpRequest.s.onload (oidc-client.min.js?3809:1)

    Which is easily understandable because https://steamcommunity.com/openid/.well-known/openid-configuration looks like this: 

    <?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
<XRD>
    <Service priority="0">
        <Type>http://specs.openid.net/auth/2.0/server</Type>        
        <URI>https://steamcommunity.com/openid/login</URI>
    </Service>
</XRD>
</xrds:XRDS>

    Which is obviously not JSON.

    The URL in the Type balise redirects to http://openid.net/specs/openid-authentication-2_0.html, which can be found in the obsolete section of the OpenID specifications page.

    Additionally, you can find in the OpenID Connect Discovery specification page that

    OpenID Providers supporting Discovery MUST make a JSON document available at the path formed by concatenating the string /.well-known/openid-configuration to the Issuer.

    Which corroborate that the .wellknown/openid-configuration file of Steam OpenID endpoint was not made for OpenID Connect.

    So I think it's safe to say that Steam is stuck to OpenID 2.0 and is not an OpenID Connect provider.

    Now I have to look for an OpenID 2.0 js client, or switch for Google Sign-In.