Identity Validation
How to validate user and Unreal server identity in your web api
If you have called 'Fetch M2 Web Platform Delegated Auth Token' and passed into HTTP blueprint nodes, your request to web servers will contain a token that can be used to prove the sender is either a logged-in client, or the game server.

This JWT is very short-lived (expiry ~5 minutes) and is designed to prove the identity of the caller as having come from the MSquared platform.
The token has the following payload for clients:
{
"scopes": [],
"user_id": "<userid>",
"client_type": "ue_client",
"iat": 1717077960,
"iss": "<issuer>:auth",
"exp": 1717078260,
"aud": [
"<aud>"
]
}
And the following payload for the game server:
Unreal Servers only support 'World' scope of tokens, other types will not be generated
{
"scopes": [],
"client_type": "ue_server",
"iat": 1717077960,
"iss": "<issuer>:auth",
"exp": 1717078260,
"aud": [
"<aud>"
]
}
The client_type
claim being set to ue_server
does not mean that the requester is trustworthy.
This claim will have the same value in delegated auth tokens for local and user-generated worlds.
Some additional gating is strongly recommended when relying on this claim, e.g. checking the project ID claim as well.
The JWT token header will contain a key id claim (kid)
which can be used to validate the token using the JWKS published at https://admin.m2worlds.io/.well-known/jwks.json
The token can be validated using any JWT validation library, for example jose for JavaScript/Typescript users.
The current issuer in use is scarcely-calm-lark:auth
and the audience is scarcely-calm-lark
import * as jose from 'jose'
const JWKS = jose.createRemoteJWKSet(new URL('https://admin.m2worlds.io/.well-known/jwks.json'))
const { payload, protectedHeader } = await jose.jwtVerify(jwt, JWKS, {
issuer: 'scarcely-calm-lark:auth',
audience: 'scarcely-calm-lark',
})
If the token validates successfully, you can use the user_id
or ue_server
claim to identify the caller.
if you specified a scope in the request, then your token will contain additional claims depending on the scope. For example, if you requested world scope for a user:
{
"scopes": [],
"user_id": "<userid>",
"organization_id": "<orgid>",
"project_id": "<projectid>",
"world_id": "<worldid>",
"iat": 1717077960,
"iss": "<issuer>:auth",
"exp": 1717078260,
"aud": [
"<aud>"
]
}
It is recommended that you verify the tokens contain the organization, project and world claims you expect.
Last updated
Was this helpful?