Authentication & Identity

Funtico provides a complete authentication and identity system through Login with Funtico, built on the OpenID Connect (OIDC) standard. This allows users to authenticate with their Funtico account and access their account details across multiple games and applications as well as play in the Platform tournaments.

Single Sign-On (SSO) - Users authenticate once and access multiple games
Secure Token Management - Access tokens for API calls and refresh tokens for session persistence
User Profile Access - Retrieve user information like email, username, and balance
Standard Compliance - Works with any OIDC-compliant library or SDK

OpenID Connect (OIDC)

Funtico implements the OpenID Connect standard, which is built on top of OAuth 2.0. OIDC provides:

Identity Layer - Extends OAuth 2.0 with identity verification
Standardized User Info - Consistent user profile data across applications
Security Best Practices - PKCE, state validation, and secure token handling
Library Compatibility - Works with any OIDC-compliant client library

Why OIDC?

OIDC is the industry standard for authentication because it:

Eliminates password sharing between games and applications
Provides secure token-based authentication with automatic refresh
Offers standardized user profile data (email, username, etc.)
Supports multiple grant types for different use cases
Enables single sign-on across your entire ecosystem

Authentication Flow

The Login with Funtico flow follows the standard OAuth 2.0 Authorization Code flow with PKCE:

sequenceDiagram
    participant U as User
    participant G as Game
    participant A as Auth Server
    participant T as Token Endpoint
    
    U->>G: Click "Login with Funtico"
    G->>A: Authorization request with PKCE
    A->>U: Redirect to login page
    U->>A: Enter credentials
    A->>G: Redirect with authorization code
    G->>T: Exchange code for tokens
    T-->>G: Access token + refresh token
    G->>A: Get user profile
    A-->>G: User information

Flow Steps

Authorization Request - Game redirects user to Funtico with PKCE challenge
User Authentication - User logs in to their Funtico account
Authorization Grant - Funtico redirects back with authorization code
Token Exchange - Game exchanges code for access and refresh tokens
Profile Access - Game uses access token to fetch user information

Client Registration

Registration Process

Games register their OIDC clients through the Funtico Developer Dashboard:

Create Auth Client - Register a new authentication client (confidential or public)
Configure Redirect URIs - Specify where users return after authentication
Set Legal URLs - Provide Terms of Service and Privacy Policy URLs
Optional Branding - Add logo for a customized login experience

Client Types

Confidential Client - Has a client secret, suitable for backend applications that support full SDK functionality
Public Client - No client secret, suitable for frontend-only applications with limited functionality (tournaments and payments require backend implementation)

Required Configuration

Client Name - Human-readable name for your application
Redirect URIs - At least one callback URL where users return after login

Optional Configuration

Logo URI - Custom logo displayed during authentication
Post Logout Redirect URIs - URLs to redirect after logout (defaults to redirect URIs if not specified)
Terms of Service URI - URL to your terms of service
Privacy Policy URI - URL to your privacy policy

Automatic Configuration

Funtico automatically configures your client with:

Grant Types: authorization_code, refresh_token
Response Types: code
Token Endpoint Auth Method: client_secret_basic (confidential) or none (public)
Scopes: All available scopes, see Available Scopes
Audience: core.funtico.com - The Funtico Platform API service

Scopes and Permissions

Funtico provides several scopes that control what user information your application can access:

Available Scopes

openid - Required for OIDC compliance
offline_access - Permission to receive refresh tokens for long-term access
profile - Access to user profile information (username, display name)
email - Access to user’s email address
balance:read - Access to user’s TICO balance
transactions:read - Access to user’s transaction history
tournaments:read - Access to user’s tournament history
tournaments:play - Permission to join and play in tournaments
progression:read - Access to user’s rank and level data

Applications can request any combination of available scopes.

Token Management

Access Tokens

Opaque - Cannot be decoded, do not need to be revoked
Short-lived - valid for 1 hour
API Authorization - Used to access Funtico APIs
User Profile - Retrieve user information and balance
Secure Storage - Store securely in your application

Refresh Tokens

Long-lived - Valid for 7 days
Automatic Renewal - Exchange for new access tokens (valid for 1 day when refreshed)
Offline Access - Enable background token refresh
Secure Storage - Store securely with encryption

Token Security

HTTPS Only - All token exchanges use HTTPS
PKCE Protection - Prevents authorization code interception
State Validation - Prevents CSRF attacks
Secure Storage - Tokens should be stored securely

User Information

Standard Claims

Funtico provides standard OIDC claims:

sub - Unique user identifier
email - User’s email address
email_verified - Whether email is verified
name - User’s display name
preferred_username - User’s chosen username
image - User’s avatar image URL

Custom Claims

Funtico extends standard claims with:

frame - User’s avatar image frame URL

Additional Data Access

User balance, progression, transaction history, and tournament data are accessed through the Funtico Platform API (core.funtico.com) using your access token, not through /userinfo OIDC endpoint.

Security Considerations

Best Practices

Use PKCE - Always implement PKCE for public clients
Validate State - Verify state parameter to prevent CSRF
Secure Storage - Store tokens securely with encryption
Token Refresh - Implement automatic token refresh
Error Handling - Handle authentication errors gracefully

Security Features

HTTPS Enforcement - All communications use HTTPS
Token Encryption - Tokens are encrypted in transit
Scope Validation - Only requested scopes are granted
Client Validation - Clients are validated against registered URIs

Integration Options

Standard OIDC Libraries

Since Funtico implements standard OIDC, you can use any OIDC-compliant library:

JavaScript/TypeScript: oidc-client-js, @auth0/auth0-spa-js
Python: authlib, python-jose
Java: spring-security-oauth2, nimbus-jose-jwt
C#: IdentityModel, Microsoft.Identity.Web
Go: golang.org/x/oauth2, github.com/coreos/go-oidc

Funtico SDK

For the easiest integration, use the official Funtico SDK:

import { FunticoSDK } from '@pillarex/funtico-sdk';

const sdk = new FunticoSDK({
  authClientId: 'your-auth-client-id',
  authClientSecret: 'your-auth-client-secret',
  env: 'staging'
});

Use Cases

Game Integration

User Authentication - Players log in with their Funtico account
Balance Access - Check user’s TICO balance for purchases
Profile Information - Display user’s name and avatar
Cross-Game Identity - Same account across multiple games

Application Integration

Single Sign-On - Users authenticate once for multiple services
Payment Integration - Access TICO balance for transactions
User Management - Centralized user profiles and preferences
Security - Secure, token-based authentication

Next Steps

Login Integration - Implement Login with Funtico
User Data Access - Retrieve user information