POST auth/steam/login

Log in a user with a valid Steam OpenID 2.0 assertion.

Example

POST /api/v1/auth/steam/login HTTP/1.1
Accept: application/json
Content-Type: application/json

{
  "openid.ns": "http://specs.openid.net/auth/2.0",
  "openid.mode": "id_res",
  "openid.op_endpoint": "https://steamcommunity.com/openid/login",
  "openid.return_to": "https://portal.theendlessmission.com/auth/steam/login",
  "openid.response_nonce": "2019-02-02T00:26:11Z...v8=",
  "openid.assoc_handle": "1234567890",
  "openid.signed": "signed,op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle",
  "openid.sig": "Ge5...7k=",
  "openid.claimed_id": "https://steamcommunity.com/openid/id/765...015",
  "openid.identity": "https://steamcommunity.com/openid/id/765...015"
}
----------------------------------------
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 2854
ETag: W/"b26-E2sveLW1Sz4x2l/Va2odtklRGLs"

{
  "newAccount": false,
  "idToken": "eyJra...q0w",
  "accessToken": "eyJhb...Qjg",
  "refreshToken": "eyJhb...MgQ"
}

Security

API authentication is not required, because this is the method you use to get it.

URL Parameters

NONE

Query Parameters

NONE

Request Body

The request body should include all of the information from an OpenID 2.0 positive assertion response as a JSON object.

Response

There are two possible successful responses: 1) if the Steam identity corresponds to an active user account, and 2) if such an account needs to be created. Both are code 200. In both cases, appropriate JWTs are returned in the response body; the shape of the response is the same between cases.

Besides the standard error responses, 400 is returned if the assertion does not contain sufficient information, and 403 if the assertion cannot be verified with the Steam servers.

Response Body