How to go about user a seperate launcher for authentication a game client with Cognito?

Basically, I have a launcher where the user can sign in and launch the game. I am using Cognito for user authentication and I store the access, id, and refresh token in a .dat file.

Currently, the way the launcher works is if the user wants me to remember them, then I save the refresh token and reauthenticate them the next time they open the launcher. Otherwise, they have to manually input their username and password to sign in and I also don store anything in the .dat file.

The idea was that I would pass the tokens to the game client as a command-line argument, however, I realized I want the launcher and each game to be separate app clients. This is because I want the user to be able to log out of the launcher or close it without compromising the tokens being used by the game. I also want the user to be able to play multiple games without compromising each other.

The current best solution I can think of is to encrypt and store the username and password and pass that into the game as a command-line argument for authentication.

This didn’t sound like the best approach to me, however. It seems like a security issue. Of course, the username and password would both be encrypted and only in the memory as long as I need to authenticate, but it still seems like a security issue.

The other idea is to share tokens and have the launcher handle everything, but then the launcher always has to be open and the user can only play one game at a time.

Has anyone dealt with something similar before and wouldn’t mind sharing what they did? Also, am I looking at this all wrong?

Thanks in advance!

Definitely an interesting problem!

You might have better luck finding Cognito experts in the AWS devs forum: https://forums.aws.amazon.com/forum.jspa?forumID=173

I agree that encrypting the username/password do not sound like the best thing to do. Have you thought about doing server-side auth via AdminInitiateAuth - Amazon Cognito?

  1. Player enters login info in the Launcher
  2. Launcher initiates auth with Cognito, gets auth tokens
  3. Launcher uses the auth token to call an API to a backend service, e.g. RequestGameClientAuthTokens: Integrate a REST API with an Amazon Cognito user pool - Amazon API Gateway
  4. Backend service calls Cognito with AdminInitiateAuth, and get a new set of auth tokens
  5. Backend service returns the new auth tokens
  6. Launcher launches the game with commandline args containing the new new auth tokens
  7. Player can now close/log off from the launcher and the game is not affected.

I think your security instincts are right, and as James suggested, solving this server side is the right approach:

  • User authenticates with the launcher - establish identity and permissions (ie what games they can play) and gets creds to use in the launcher for further calls.
  • Use the aws credentials for the launcher to make request to a back end service with users identity (ie your config/id service) to request data for a specific game (get auth tokens just for that game, with permission to call just that game resources)

Have seen similar designs before but unfortunately it does require building a bunch of backend for your game, as its not a use case Cognito supports out-of-the-box AFAIK.

Hey! This seems to have worked almost perfectly! There are small things but I think I get solve them pretty easily.

Thank you so much for the reply!

1 Like

@Robby_Dwayne

I’m glad that it worked for you!