Skip to main content

IAM Clients

Last updated on

Overview

An IAM client is an application, such as a game server or website, that requests access to protected platform resources. IAM clients allow you to control which resources can be accessed by an application as opposed to a specific user.

IAM clients implement the OAuth 2.0 framework. You may have used other OAuth clients in the past, such as when using your GMail or Facebook account to log in to websites. IAM clients can only be defined under game namespaces.

Client Types

There are two client types, per the OAuth 2.0 Client Type framework:

  • A confidential client requires both a Client ID and Client Secret to gain authorization with the backend. Confidential clients are normally needed in cases where you don’t log in with a user account (such as with a game server), and as a result, will typically have access permissions defined on the client itself. Confidential clients should therefore only be used in cases where you can control who has access to the client’s ID and secret to prevent unauthorized users from being able to access your services.
  • A public client does not specify a client secret; only a Client ID is needed for authorization. Public clients are best suited for applications that require a user to log in with their user account. Permissions are not defined for public clients, since the user’s permissions will override the client’s permissions once the user has signed into their account.

Common IAM Clients

Most projects typically define a few common client archetypes:

  • Game client IAM client should be configured as public and should have no permissions assigned as these permissions will come from the signed-in user.
  • Game server hosted by Armada IAM client are for dedicated servers and should also be configured as public. You will need to assign permissions to the client if your dedicated servers do not log in as a user (the most common case).
  • Dedicated Server Uploader IAM client are used for uploading dedicated server builds. Since access for uploaders is usually tightly controlled, it is best to specify these types of clients as confidential.

Fields

  • Client ID serves as the unique ID for the client across the system. It is automatically generated when you first create a client.
  • Client Type defines how secure the client’s login tokens will be. You can choose between Public and Confidential types. Refer to the Client Types section to read more about these types of clients.
  • Secret serves as the password for confidential clients. You can fill the field manually or have the system create a secret for you by clicking the Generate Client Secret button.
note

Once the client has been created, you can no longer access the client secret. Make sure you save the secret in a secure place.

  • Client Name serves as the name of the client. This is how the client will be identified in user-facing forms and documents.
  • Title defines which game namespace the client should be created within. This affects where the client appears in the Admin Portal but does not limit which resources the client can access.
  • Target Audience is used to constrain which service endpoints the client is allowed to access. When given a value, the target audience serves as a white list to allow backend services to quickly reject connection attempts before client or user permissions are checked. When a client attempts to access a service endpoint, the service first checks the client’s Target Audience list. The connection attempt will be rejected if the service’s URI does not match the Base URI of any of the clients listed in the Target Audience field (unless the field is empty). If the client passes the Target Audience check (or if the client’s Target Audience field is empty), the service will proceed to the next step in authenticating the client’s request, checking permissions or scope. The Target Audience drop down contains a list of clients (from the namespace that the client is defined in) along with the Base URI value specified by that client.
  • Base URI is only needed for clients that are used by services and should be set to the URI of the service itself. For clients that will not be used to allow a service to access the rest of the platform, this value should be empty.
  • Redirect URI is only used by clients that represent web-based applications (such as a website or launcher). For web-based clients, the value should be set to the URL that the user will be redirected to upon successful login. For other types of clients (game servers, game clients, server uploaders, etc.), it is customary to define the value as a dummy address http://127.0.0.1, as this field must have a value for all clients.

Managing Clients in the Admin Portal

Create a Client

  1. In the Admin Portal, expand the User Management section and click Oauth Clients.

    iam-clients

  2. Select Create New and fill out the appropriate fields. (See the fields Fields section above for more information).

    iam-clients

  3. Once completed, click Create. The new IAM Client will be created.