OK so here's the situation:
I program games. Nothing fancy. Nothing popular. Nothing that anybody except my mom has played. (Thanks, mom!)
But I do occasionally have ideas for games that would work better with certain "community" features. A few examples:
- Cloud saves.
- A game with a level editor, where players can submit and download user created levels.
- A racing game where not only are best racing times recorded (leaderboards), but also "ghosts" which you can download and race against.
- Asynchronous turn-based games that will require some sort of account system to keep track of who is playing against who, and prevent players from playing games/turns they shouldn't have access to.
- Friends lists to make it easier to start a game with people you know.
- A game with automatic matchmaking based on an Elo-like rating systemw.
Naturally, I'd need some sort of database/account system to keep track of which data belonged to which player. But I really don't want to make the players of my games have to deal with creating yet another account, or deal with password resets or things like that. I just need to verify that the player is who they say they are, and then let them play. This should be a one time process, per device/profile. i.e., if they install my game on their Android device, they'll need to authenticate once, then the app itself will store the token locally and access their game data that way. But if they also install the game on their PC, they'll need to authenticate once on the PC, too. And if they make another profile on the PC (if I am smrat and make the game support multiple profiles) then the profile will need to be authenticated for the new person.
I don't want or need any personal information. If hackers get access to my database, I want it to only contain non-personal information. Only game related stuff like scores, ghosts, friends lists, games, etc. This way a security breach isn't really a problem. All the data will essentially be public anyway, so the only thing I'd need to be worried about is if the hackers decided to delete the data.
Yes, there are third-party solutions that offer leaderboards and the like, but in my experience both as a player and as a developer, they have 2-3 big problems:
1. They are unreliable, smaller companies which disappear after a year or two, thus breaking all game functionality that relied on them.
2. They are reliable, huge companies (Google, Steam, Apple) but are not cross-platform.
3. They are reliable companies, but charge more money than I'm willing to pay since it's just going to be my mom playing my games.
My thoughts were to use OpenID, but that was designed to be used in the web browser, redirecting to the provider's page, then back to the content. I can't exactly do that from within a game. So maybe I want to use OAuth? Even then, I'm not sure. This is because, again, I don't wan't access to any of their account information from the OAuth provider. I just want a way to verify they are a specific, unique person, then automatically access their game account details from there.
In other words, once they are logged in, the account information would be mostly behind the scenes. I'm thinking that all I'd need is a unique token that never changes (so they can login again after a reinstall or on another device) and that token will be the key/index to the rest of their account information in my database.
Am I going about this the right way? If so, how would I go about using an already existing service provider to provide me with a token which I could then tie to the player's account, without requiring the player to create a username/password to login with every time they launch my game? I think I could even use something like a time-limited code (like what we often see in 2-factor authentication) so that they only need to type in a relatively short numeric code and it will grab all their details automatically. But again, the question is how do I do this seamlessly from within the game, without requiring them to use a browser for authentication?
So what should I use?
OpenID?
OAuth?
WebID?
Persona? Something else entirely?