Creating a login API for multiple websites that are not on the same network

Question

I've build two seperate games and I want them to share the same login system. So that if you have one account which you use for both games.

But when they first sign up and login I do not want to redirect them to the centralized system because I want the sign-up/login-proccess to be as simple as possible because I'm afraid they'll lose interest.

So I was thinking about letting them sign in to the website normally and then using cURL to send the requests to the centralized website by building an API.

I am however wondering if this is a good approach because none of the websites are on the same network. I guess I'll have to build the centralized login system in such a way that it only accepts requests from the domains the games are on. But are there any other things I have to worry about? How should I send for example passwords? Because sending them plain text seems like a horrible idea so I guess I'll have to hash them on the side of the game. I guess I'll have to make a small copy of the users table for for example the username and user_id.

I don't want to use for example OpenID or Facebook Connect or something because that does mean redirecting to an external system (which is bad for user experience) and the average age off players on the website is about fourteen, so they have no clue about OpenID and I don't want to force them to connect their Facebook accounts to my websites.

Also I'm sorry if I'm unclear or writing in bad English, I'm not a native and having a hard time expressing myself the right way.

Thanks in advance!

Answer 1

An API would be a good approach. However, if you implement such an API, you should keep these things in mind:

1. Use strong Auth-Keys for the API. You could filter the requests by the server IP, however this would work, but I won't recommend it since you can send manipulated packets (IP-Spoofing).
2. You can hash the password on your game-server, but if the connection from the client to the server wasn't encrypted, the password was already sent across the internet and an attacker would start at the client's unencrypted connection if he wants his or her password. So make sure to use SSL for every connection with critical user data.

Answer 2

You have two options Option 1 : integrate both the applications with CAS. CAS is a simple protocol based authentication architecture specifically designed for single-sign on scenarios. This will definately save a lot of time of yours, with minimalistic developmental modifications.

Option 2: Have a standalone user table on one of the servers, and make the authentication requests against this table. Question is of maintaining individuality during gaming process, you can do that with sessions and cookies.