Couple weeks ago CCP FoxFour told us about the upcoming new SSO Login System for 3rd party sites. Well after years of hoping, weeks of testing on SISI and waiting again they got finally ready and within the scope of a limited SSO trail and allowed a few 3rd party websites to use their newly crafted SSO (Single Sign On) System to be used.
What does this mean?
You can now login DOTLAN EveMaps using your Eve Online Characater (not account). Many social media sites are providing similar services (via OpenID, OAuth and OAuth2) like Facebook, Twitter, Reddit or Google.
Is it secure?
DOTLAN EveMaps or other 3rd party sites using the SSO Login Service will never see your eve account details (username, password, email, etc). As long as you pay attention when you get redirected to log in, you’re safe. But you should always do this when entering your credentials and double check them.
I have already a DOTLAN EveMaps account and now?
The best way is now to log into your account using your old login method (email+password or facebook or twitter, etc.) and add an additional identity to your account. You’ll be able to login with all of your linked identities. If you try to login first with your Eve Account you might create a new account instead of link it to your existing one.
Do we have any other benefits when using Eve SSO as login method?
Nope. Right now CCP is just providing SSO as a Login service that provides the 3rd party site with your characterID, characterName and a hash so we can verify if the character is still living on the same account. There’s no additional information we get. For everything else we’ve still to rely on the old API keys, but this first initial step is the crucial requirement for the next big step: Authenticated CREST. Someday we might get access to different scopes and request user details requesting permission from the user … but I guess this will take another year or so 🙂
Even on DOTLAN EveMaps I haven’t added any special features yet or updated the API verification process … but I guess other applications, corp or alliance management tools will be standing on the door step of CCP and waiting every moment news.
I’m a developer, where do I get my OAuth2 credentials for my own applications?
This was the first and initial trail run and test for CCP. They take their login system serious and are afraid of potential security breaches. The time for the first sisi trails even got pushed ahead multiple times. The client credentials were created manually by CCP Devs inside the database. Once the Developer Site, where you can register your application with application name, backcall_url, etc., goes live you’ll see more websites using this method as it ensures that the user on the browser site is in charge of the API keys he’s providing. No more API Key Changing, Evemail verifications or 1 isk transactions will be needed to verify you on those multiple alliance or corporation management tools out there. One day …
I the meantime I would advice you to get familiar with OAuth2 login procedure (for websites) in general. Once CCP has finished their developer site you’re in the first line of requesting one.