Comments (6)
Epic Games' Technical Account Management team has indicated that it is no issue for this information (I would imagine the EncryptionKey is an exception) to be available to users, provided that your Client Policy is configured correctly.
My open question to their Service Delivery team was as follows:
What is the sensitivity level of information like ClientId-ClientSecret (ClientCredentials), SandboxId, ProductId, EncryptionKey, etc. that would be used by Auth and Platform interfaces and so forth? I would like to use the official plugin recommended here: https://dev.epicgames.com/en-US/news/epic-online-services-releases-plugins-for-unity-and-unreal-engine , but the current implementation requires leaving all of this information exposed to users in both a JSON file and within its own logs. Is leaving all of this information exposed acceptable if we customize our Client Policy for the Game Client appropriately or use other mitigating measures? Or is there no reason to worry about this?
Their response clearly instructed that I should keep the ClientSecret under "lock and key", but was worded in such a way that I suspected might have been referring to the BPT or something else that could readily make use of ClientSecretEnvVar, so I rephrased my question:
My question was specific to the EOS plugin I linked above, which was: https://dev.epicgames.com/en-US/news/epic-online-services-releases-plugins-for-unity-and-unreal-engine
The instructions for which can be found here: https://github.com/PlayEveryWare/eos_plugin_for_unity
The plugin, as several github commenters have called out, leaves the ClientSecret (I think we are talking about the same thing here? https://dev.epicgames.com/docs/services/en-US/Glossary/index.html#D?term=ClientSecret ) exposed to the world in a JSON file, as well as the bulleted pieces of data below. Furthermore, as the plugin runs, all of the following data is logged into Unity's player.log file.
ProductName ProductVersion ProductID SandboxID DeploymentID ClientSecret ClientID EncryptionKey
If you indeed advocate keeping ClientSecret under lock and key, and we are talking about the same thing, then I am very confused about Epic's recommendation about this plugin and its usage. I hope I am just missing something. I tried working around the plugin's need for this JSON file, but it proved to require an amount of effort (and possible future maintenance) that I do not believe is reasonable.
My question was then passed to one of their TAMs, and their response was:
It is expected that users will have access to the EOS Client ID and Client Secret (but not your BPT Client ID and Client Secret!) I recommend customizing the Client Policy with this in mind. Per the Client Credentials (https://dev.epicgames.com/docs/services/en-US/DevPortal/ClientCredentials/index.html) page, this should be handled as an untrusted client. Partners who need to ensure client security to perform certain operations will typically create separate trusted clients that they manage on their dedicated servers.
I am waiting on a follow-up clarification regarding the EncryptionKey. I hope this helps/reassures someone.
from eos_plugin_for_unity.
Epic Games' Technical Account Management team has indicated that it is no issue for this information (I would imagine the EncryptionKey is an exception) to be available to users, provided that your Client Policy is configured correctly.
My open question to their Service Delivery team was as follows:
What is the sensitivity level of information like ClientId-ClientSecret (ClientCredentials), SandboxId, ProductId, EncryptionKey, etc. that would be used by Auth and Platform interfaces and so forth? I would like to use the official plugin recommended here: https://dev.epicgames.com/en-US/news/epic-online-services-releases-plugins-for-unity-and-unreal-engine , but the current implementation requires leaving all of this information exposed to users in both a JSON file and within its own logs. Is leaving all of this information exposed acceptable if we customize our Client Policy for the Game Client appropriately or use other mitigating measures? Or is there no reason to worry about this?
Their response clearly instructed that I should keep the ClientSecret under "lock and key", but was worded in such a way that I suspected might have been referring to the BPT or something else that could readily make use of ClientSecretEnvVar, so I rephrased my question:
My question was specific to the EOS plugin I linked above, which was: https://dev.epicgames.com/en-US/news/epic-online-services-releases-plugins-for-unity-and-unreal-engine
The instructions for which can be found here: https://github.com/PlayEveryWare/eos_plugin_for_unity
The plugin, as several github commenters have called out, leaves the ClientSecret (I think we are talking about the same thing here? https://dev.epicgames.com/docs/services/en-US/Glossary/index.html#D?term=ClientSecret ) exposed to the world in a JSON file, as well as the bulleted pieces of data below. Furthermore, as the plugin runs, all of the following data is logged into Unity's player.log file.ProductName ProductVersion ProductID SandboxID DeploymentID ClientSecret ClientID EncryptionKey
If you indeed advocate keeping ClientSecret under lock and key, and we are talking about the same thing, then I am very confused about Epic's recommendation about this plugin and its usage. I hope I am just missing something. I tried working around the plugin's need for this JSON file, but it proved to require an amount of effort (and possible future maintenance) that I do not believe is reasonable.
My question was then passed to one of their TAMs, and their response was:
It is expected that users will have access to the EOS Client ID and Client Secret (but not your BPT Client ID and Client Secret!) I recommend customizing the Client Policy with this in mind. Per the Client Credentials (https://dev.epicgames.com/docs/services/en-US/DevPortal/ClientCredentials/index.html) page, this should be handled as an untrusted client. Partners who need to ensure client security to perform certain operations will typically create separate trusted clients that they manage on their dedicated servers.
I am waiting on a follow-up clarification regarding the EncryptionKey. I hope this helps/reassures someone.
Their team's most recent response on the EncryptionKey being left exposed:
"As the Encryption Key is stored client-side, it is expected that players would be able to obtain its value even if steps were taken to obfuscate it. However, it is worth noting that the Encryption Key is not the sole component used in the encryption of data stored using the Player Data Storage feature."
from eos_plugin_for_unity.
Quick summary: Those keys are not as 'secret' as one might assume, and it's somewhat safe to have them in the open. They have to be in StreamAssets so that the GfxPluginNativeRender can access them before all of Unity has been bootstrapped so that the Plugin can hook all the appropriate things before the first graphics call by the Unity engine.
from eos_plugin_for_unity.
We're also concerned about this, seems like a fairly big security hole.
from eos_plugin_for_unity.
Difficult to move forward with this plugin as it stands currently. Another vote here to change how this is resolved.
from eos_plugin_for_unity.
We're also concerned about this, seems like a fairly big security hole.
For untrusted clients this should not be a problem. The way you limit the untrusted clients authorities is via the client settings. (Remember EOS can be used by trusted BE services too, where indeed these information would be security sensitive. However, those shall be run in isolated environments anyway.)
from eos_plugin_for_unity.
Related Issues (20)
- After the EOSManager is initialized, but before any other actions, "Failed to connect to Stomp! HS: ws upgrade unauthorized" error occurs regularly HOT 7
- After I successfully called StartLogout, GetLocalUserId not null and valid HOT 5
- GC Alloc > 0B HOT 8
- DllNotFoundException: libDynamicLibraryLoaderHelper on macOS ARM HOT 5
- EOSManager_EOSGetters.cs:72 - here a annoying error constantly appears, although this is not the error HOT 6
- Connection successful, but Overlay hot key still ignored? HOT 4
- Fail to build for Linux Server HOT 4
- Mac Unity Editor - compiler error due to symbol duplication (due to compiler directives) HOT 4
- Error when using EOS_DISABLE define HOT 4
- Login on Editor and Mac works, but Windows dont HOT 4
- Fail to find the right way to set identifiers HOT 6
- EOSTransport.GetUserId(ulong clientId) should be public. HOT 2
- EOSTransport.GetCurrentRtt not implemented HOT 2
- StartConnectLoginWithEpicAccount returns InvalidUser (user_not_found, 110016, EOS User Identity not found) on Live for real user (debug user works) HOT 6
- EOSManager should expose a way to perform auth login with suppress UI flag HOT 2
- Steam Manager does not use recommended ticket HOT 1
- Steam sample code encourages false assumptions about ticket expiry HOT 2
- Windows build - crash on start due to unhandled exception in `EOS_IntegratedPlatform_CreateIntegratedPlatformOptionsContainer` HOT 9
- ContinuanceToken ToString always fails, so they cannot be logged out or seen HOT 2
- Side loaded config dll not loaded in editor? HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from eos_plugin_for_unity.