Looking for insight to secure a services-oriented backend architecture

Good evening to all!

TLDR: looking for insight regarding:

  • The difference between a regular web app (Applications/Applications/Create Application/Regular Web Applications) and an API (Applications/APIs/Create API),
  • The best way to implement authentication AND authorization in a services oriented videogame backend.

I know this is a lot to read and answer to, but I did quite a lot of research over the past couple weeks and I’m in a little bit of an impass at the moment. I’d appreciate any pointer and/or information really.

The project

After years of experience as a software engineer, I decided to get back to one of my former hobbies: creating games. For educational purposes, I’ve been working recently on a online game project.

I developed a passion for well-designed software architecture and I am having a blast applying that to creating games. I desgined a prototype with a set of basic features, including networking, as a basis for the game. I am currently working on a basic authentication/authorization system, and instead of building everything myself, I decided to use Auth0 as IDaaS.

Connecting a simple Vue.js app to Auth0 with signup/signin with an authentication guard was done in a matter of hours, but I am struggling to find the best way to authenticate users from the game. Bear in mind, I am still a beginner with Auth0, but I’m loving the stack so far.

You’ll find below a simplified version of the game server’s architecture and the connections between components/services. The components are :

  • The website (Vue.js): where users create their accounts and profiles (user_metadata),
  • The game clients (Unity, C#),
  • The front server (Node.js + Fastify): API which serves as an API gateway for users, hiding the server’s architecture,
  • The auth server (Node.js + Fastify): API which allows users to connect to the game,
  • The game servers (Unity, C#): handling the game logic as pseudo authoritative servers,
  • The game API (Node.js + Fastify): API which handles saving to and getting from the game database,
  • The game database (Redis): stores all the data of the game, from achievements to players positions, levels, guilds, etc.

And here are the connections :

At the moment, the access flow is very simple and not secure at all, as shown on this diagram:

Basically, I set an action on the auth0 dashboard to create a uuid for every new user (in their app_metadata), independently from the tenant. This uuid is added with another action (post login) to the id_token.
When a user wants to connect with a character on a game server, they connect to the game, retrieve their uuid and public username.
Based on this uuid, they get a list of characters from the server, ask for a server IP and connect to it with the id of one of the characters.

The obvious problem is that the auth server allows to get back a user’s uuid securely, but there are no security checks at all after that. For example, a user could change their uuid before the [GET /characters?user_id={uuid}] call and get someone else’s characters instead.

The questions

Now, I’ve been thinking of ways to add security to this simple architecture, but I have not met a lot of success so far with auth0, probably due to a lack of expertise regarding Token Based Authentication as a whole.

My idea was to forward the access token all the back to the game client after the login process. The token would then be a part of every request sent to the front server, allowing the authorization process, and also part of the handshake with the game server.

Here are my questions:

  • Would this idea be secure enough, using https/TLS?
  • I am struggling to understand the difference between a regular web app and an API in the auth0 dashboard, in the applications section. The Auth server I implemented is registered as a regular web app on the dashboard and uses the Node.js auth0 package in order to authenticate users. However, this Auth server is nothing more than a very basic API, so should I register an API on the auth0 dashboard instead of my current “regular web app”? What would be the pros and the cons of using one versus the other ?
  • Considering that the Game API is never exposed to the outside world, I was thinking of doing security checks on the front server only. Would that be considered a bad practice with auth0?
  • Considering an access token with a lifespan of 24 hours which would be stored in the game client after the initial login process, what would happen if someone stayed online for 25 hours ?
  • Now, regarding the game servers. For several reasons (latency, peformance, decoupling), I’d like to keep the whole authentication/authorization out of the game servers, if possible. However, when a user connects to a game server, there needs to be some sort of verification of identity, otherwise the entire system could be compromised (including the Game API). How could I handle that properly while handshaking ? Would that be enough, or would the game servers need regular identity checks ?

Thank you !

Best regards,
Marc

Note: here’s the text source of my diagram from sequencediagram.org if anyone wanted an easy way to add notes to mine:
auth0 help sequence diagram.txt (1007 Bytes)