Jump to content
McKay Development

Beginning Concepts / Basic oAuth Example

Butter Jesus

Recommended Posts

First let me say that this library is amazing!  I'm really excited to work with it and build something fun.  I'm a data scientist but have a background building backend APIs with Python and recently got into React.  I'm interested in building a web client that logs a user in (front-end initiated via HTML/js), then imports a list of game assets they own and have played recently (backend / nodejs).

The basic case I'm trying to find a beginning with is a basic oAuth login from a web client such as:

<form action="https://steamcommunity.com/openid/login" method="post">
    <input type="hidden" name="openid.identity"
        value="http://specs.openid.net/auth/2.0/identifier_select" />
    <input type="hidden" name="openid.claimed_id"
        value="http://specs.openid.net/auth/2.0/identifier_select" />
    <input type="hidden" name="openid.ns" value="http://specs.openid.net/auth/2.0" />
    <input type="hidden" name="openid.mode" value="checkid_setup" />
    <input type="hidden" name="openid.realm" value="http://localhost" />
    <input type="hidden" name="openid.return_to" value="http://localhost:3030/auth/steam/callback" />
    <Button type="submit"><img src="https://community.cloudflare.steamstatic.com/public/images/signinthroughsteam/sits_02.png"></Button>

Then, I just wanted to handle the request in the backend and get a list of assets.  From here I believe I should get some kind of token then I pass off the request parameters to a method. 

The response I get from the redirect is:

  'openid.ns': 'http://specs.openid.net/auth/2.0',
  'openid.mode': 'id_res',
  'openid.op_endpoint': 'https://steamcommunity.com/openid/login',
  'openid.claimed_id': 'https://steamcommunity.com/openid/id/[an ID]',
  'openid.identity': 'https://steamcommunity.com/openid/id/[an ID]',
  'openid.return_to': 'http://localhost:3030/auth/steam/callback',
  'openid.response_nonce': '2022-12-22T01:02:40[a bunch of letter and numbers]',
  'openid.assoc_handle': '1234567890',
  'openid.signed': 'signed,op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle',
  'openid.sig': 'b0R2aeaaL+6mwfLiahde19gsc+Q='

I'm not completely sure if one of these things is a token or if I need to make another request OR update my form post to have different parameters to get a token.  I see a nonce which I assume is either part of the transaction for obtaining a token to use for future requests, or perhaps it's just randomly generated once as a formality. 

Looking at openid's docs I can assume:


Value: A string 255 characters or less in length, that MUST be unique to this particular successful authentication response. The nonce MUST start with the current time on the server, and MAY contain additional ASCII characters in the range 33-126 inclusive (printable non-whitespace characters), as necessary to make each response unique. The date and time MUST be formatted as specified in section 5.6 of [RFC3339], with the following restrictions:

  • All times must be in the UTC timezone, indicated with a "Z".
  • No fractional seconds are allowed
For example: 2005-05-15T17:11:51ZUNIQUE

Perhaps it's the wrong class, but the SteamCommunity class seems like the right next step somehow but looking at what's expected as arguments to most of the login methods, I'm positive there's a huge gap in my knowledge as to what my first step should be for working with this.  Or maybe node-steam-user (logOn, webLogOn, ???) is the class/method for managing web authentication in my use case?

Thanks in advance for helping with my noob question!

Link to comment
Share on other sites

None of my libraries are what you're looking for. You just need an OpenID validator. This seems like it might work for you: https://github.com/LeeviHalme/node-steam-openid (I just found this on google, this isn't an endorsement)

It's worth mentioning and emphasizing that OpenID and OAuth are not the same thing. You cannot get a bearer token or any other sort of "user token" from Steam. The only thing OpenID allows you to do is get a user's SteamID, and be sure that the SteamID actually belongs to the user. From there, you need to use Steam's public WebAPIs to retrieve data for that SteamID. It won't work if their profile is private, and there's no way around this. There's no mechanism to prompt a user to share private data with you.

Edited by Dr. McKay
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...