User specific login session

API Discussion
Hello all,

I'm working on a mobile app where I have my own system to authenticate users.

Once the user is inside the app, I ask them to authenticate with BattleNet through the Authorization Code flow to get his user info or list of characters.

The problem I currently have is:

I have a user A, he logs in in the app and authenticates with BattleNet, receives a code, a token and later on the user info or list of characters. User A logs out, user B logs in. When I start the Authorization Code flow for user B, he automatically receives a code that belongs to user A, without asking for BattleNet credentials.

So the main idea is to maybe link the user account with the BattleNet account in a 1:1 relationship.

Is there any way I can do this?

I would like to be able to do the following:

1. If a user starts the Authorization Code flow and has not given permission previously, show the BattleNet login site.
2. If the user already gave permission to the app, the app should be able to notice this and provide a code and token that can be user to get user specific info.

I'm sorry if this was asked previously, didn't find it in the forums.

Thanks!
The best approach for this, would be to have a "login with battle.net" button as an option for authentication. That way you your user wouldn't have to log in twice and you wouldn't have this problem.

The other option is really simple, on the table you save user's credentials add a field to hold the user's unique id returned by the API and add a unique index (or a similar mechanism) to this field.
All you have to do is check this field after the bnet authorization and see if the ID was already linked to another account, if it was just redirect the user to a page informing the bnet account was already used and some information about the possible causes.
Hello Schiller,

Thank you very much for your response.

Regarding option 1, I don't think I can do that. The flow in the app is that the user logs in with his account, and this gives him access to my backend. The screen where I want the user to connect to Battle Net is optional, and only if the user wants to see his list of characters.

Regarding option 2, I can do that! The only question is in this scenario:

1. User A logs into his account.
2. User A Logs into his BattleNet account (I store the Battle Tag).
3. User A logs out.
4. User B logs into his account.
5. User B tries to log into his BattleNet account.

In step 5, user B doesn't have the Battle Tag stored (it was stored for user A), so he will continue to the Battle Net site for login.

The thing is that since user A previously authenticated with BattleNet, user B will be automatically Authenticated using User A credentials.

Is there any way I can show user B the Battle Net login form? Can I cancel user A Battle Net session on logout?

Thank you very much.
Hey Ciau,

I believe you are likely only hitting this scenario because your are testing with two different accounts on the same computer. The way the Blizzard OAuth works is that when you send the user over to the OAuth login screen, Blizzard is noticing that your browser already has a valid session, and instead of showing the user the login form, just sends the user through to the next step of the OAuth flow.

Normally this is not an issue as most users do not share a computer with other users who might also be logging into Blizzard accounts and also trying to use your website, but it is something that we run into as 3rd party developers, as we often have all types of testing accounts we are logging in and out of to test different things.

Something I've done in the past is when the user clicks "Login with Blizzard" on my community site, I first send them to a page on my site which asks them to "please wait...", and then after a few seconds I redirect them to the OAuth login flow like normal.

This intermediate step is needed as while the user is sitting on this intermediate page looking at the "please wait..." message, I also include a iframe on the page which uses https://us.battle.net/login/logout as the source, which essentially logs the user out of their Blizzard session. Because including this iframe causes the users Blizzard session to be revoked, when you redirect the user to the login page, they will always be shown the login form since they do not have a valid session anymore, rather than the form just automatically logging them in like it was before.

For my application this was needed as there were several users who did share the same PC, so It was OK in my mind to force them to have the 'inconvenience' of needing to login on the Blizzard page every-time they wanted to login to my service, rather than just using the session the user already had with Blizzard.
Hello spudnic072,

Yes!!! That's exactly the issue I'm having!

I would also prefer to have the users login each time they want to sync their data (even if that means they can sign in with a different Battle Net account each time) rather than having all users on the same device to always be linked to the same BattleNet account.

I'll try the approach you suggested.

Thanks to both of you! You rock!

Have a nice day.

I'll let you know if I have further issues =P.
In short no, you can't force to show battle.net login form every time just for your application.

You can't control the login on battle.net side, this is completely outside of your application. The login form for battle net doesn't show up because the browser already have a SSO (Single sign on) cookie set for battle.net domain. nothing you can do about it, except inform your user about it.

I find the trick suggest by spudnic072 very intrusive and disrespectful to users, as something is being done on their behalf without their consent. This is actually how some browser exploits work.
Have in mind this will expire the user's blizzard session not only for YOUR application, but for every other application currently active. In rare scenarios this may cause unexpected side effects on other apps.

Perhaps a better solution would be to combine both our answers: instead of just signing out the user, show an explanation of what is happening and a link to the logout page.
This way you give the user the choice of actually signing out of bnet or using an alternative solution like Firefox containers to have multiple accounts active at the same time.
Hello again,

Thanks Schiller. I totally understand the situation I’m now and you’re right I shouldn’t be forcing the logout of my users. I’m good with showing them an explanation of what is happening.

It makes sense now. Thanks.

Join the Conversation

Return to Forum