Steam API
Helpful links:
- Steam Web API. Documentation for accessing user information.
- Steam Web API Key, required for accessing the Steam Web API.
- Steam Web API Documentation. This contains references to the OpenID Provider logic, allowing you to have someone log in under their Steam credentials to your website. This also contains the โSign in through Steamโ icons they request that you use when using OpenID.
Librariesโ
- bhaberer/steam-api (Ruby)
- Steam Condenser, a set of libraries for accessing the Steam Community API and game servers written in Source or GoldSrc. Available in Java, PHP, Ruby, and C#.
OpenID Authentication with Steamโ
Steam uses OpenID 2.0.
Information here is heavily sourced from Matthew Steven Monkanโs answer on Stack Overflow
Requesting OpenID Informationโ
-
Create a URL with the following parameters:
- URL:
https://steamcommunity.com/openid/login openid.ns:http://specs.openid.net/auth/2.0openid.claimed_id:http://specs.openid.net/auth/2.0/identifier_selectopenid.identity:http://specs.openid.net/auth/2.0/identifier_selectopenid.return_to: The URL on your website that you want to receive a GET request toopenid.realm: The domain part of theopenid.return_toURL. This is what is displayed to the user when logging in on Steamopenid.mode:checkid_setup
Example:
https://steamcommunity.com/openid/login?openid.ns=http://specs.openid.net/auth/2.0&openid.claimed_id=http://specs.openid.net/auth/2.0/identifier_select&openid.identity=http://specs.openid.net/auth/2.0/identifier_select&openid.return_to=https://example.com&openid.realm=https://example.com&openid.mode=checkid_setup - URL:
-
After a user successfully logs in, Steam will issue a GET request to the
openid.return_toURL you specified with several query parameters added:openid.ns:http://specs.openid.net/auth/2.0openid.mode:id_resopenid.op_endpoint:https://steamcommunity.com/openid/loginopenid.claimed_id:https://steamcommunity.com/openid/id/76561198002516729openid.identity:https://steamcommunity.com/openid/id/76561198002516729openid.return_to: The value ofopenid.return_toused in the original requestopenid.response_nonce:2020-08-27T04:44:16Zs4DPZce8qc+iPCe8JgQKB0BiIDI=openid.assoc_handle:1234567890openid.signed:signed,op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handleopenid.sig:W0u5DRbtHE1GG0ZKXjerUZDUGmc=
Example:
https://example.com/?openid.ns=http://specs.openid.net/auth/2.0&openid.mode=id_res&openid.op_endpoint=https://steamcommunity.com/openid/login&openid.claimed_id=https://steamcommunity.com/openid/id/76561198002516729&openid.identity=https://steamcommunity.com/openid/id/76561198002516729&openid.return_to=https:/%example.com&openid.response_nonce=2020-08-27T04:44:16Zs4DPZce8qc+iPCe8JgQKB0BiIDI=&openid.assoc_handle=1234567890&openid.signed=signed,op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle&openid.sig=W0u5DRbtHE1GG0ZKXjerUZDUGmc=
Verifying The OpenID Informationโ
To verify the provided information, issue an API call to Steam via a backend server as follows:
- Take the URL that Steam redirected to
- Swap out the initial host and path with
https://steamcommunity.com/openid/login - Replace
openid.modeโs value ofid_reswithcheck_authentication
Example:
https://steamcommunity.com/openid/login?openid.ns=http://specs.openid.net/auth/2.0&openid.mode=check_authentication&openid.op_endpoint=https://steamcommunity.com/openid/login&openid.claimed_id=https://steamcommunity.com/openid/id/76561198002516729&openid.identity=https://steamcommunity.com/openid/id/76561198002516729&openid.return_to=https:/%example.com&openid.response_nonce=2020-08-27T04:44:16Zs4DPZce8qc+iPCe8JgQKB0BiIDI=&openid.assoc_handle=1234567890&openid.signed=signed,op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle&openid.sig=W0u5DRbtHE1GG0ZKXjerUZDUGmc=
A valid response will look like:
ns:http://specs.openid.net/auth/2.0
is_valid:true
Because there is a nonce provided in the URL, this API call can only be made
once; all subsequent other requests will always return is_valid:false, even if
it was previously valid.