- Contact Emails
- Name of the company/service
- Will also appear on the RSO Login Page
- Logo of the company/service
- Should scale between 275x275 and 60x60
- Suggested is an SVG, but PNG will also work
- Will be displayed on light and dark backgrounds (see examples below)
- Privacy policy URL
- Terms of service URL
- Redirect URLs
- A list of URLs you would like the RSO Client to redirect the players after login
- Typically a callback which is used to get information about the player who logged in
- Post Logout Redirect URLs
- A list of URLs you would like the RSO Client to redirect the players after logout
- Preffered ClientId
- Unique name for your product without punctation or spaces
- You will receive a link to gather your client secret
- This link will expire after 6 days after you got the mail or after three times opening the link
- This link is secured with a basic auth, the credentials for this will be also in the mail
| Endpoint | Description |
|---|---|
| GET https://auth.riotgames.com/authorize | Endpoint for obtaining an authorization code |
| GET https://auth.riotgames.com/token | Endpoint to exchange authorization codes for access, identity, and refresh tokens |
| GET https://auth.riotgames.com/jwks.json | Endpoint to grab JSON Web Keys for verifying the authenticity of access and identity tokens |
| GET https://auth.riotgames.com/userinfo | Endpoint to use your access token to obtain user information |
After the player logged in with the correct credentials, they are automaticly redirected to the redirect_uri you specified, together with an authorization code as a query string in the url. This code can be sent to the token endpoint to receive access, identity, and refresh tokens. The access token you receive from this endpoint can be then used to get more sensitive data like summoner information, locale, puuid and some more stuff
Here are the fields you need in your RSO URL
| Field | Description | Optional |
|---|---|---|
| redirect_uri | OAuth 2 Callback route you have to set up at your own server. This route needs to be able to process a code query parameter that is added to the URI on when Riot Sign On redirects the player back to our URI. We must also be sure we have this URI added as one of the redirect_uris during client registration See Bullet Point 6 here | ❌ |
| client_id | ID assigned to client during registration. This will be the Client ID you got when you registered a client See Bullet Point 8 here | ❌ |
| response_type | Response type expected, should be code for authorization code flow | ❌ |
| scope | A predefined data scope, must include openid to authenticate | ❌ |
| ui_locales | Space-separated list of player’s preferred BCP47 language tag values in order of most to least preferred | ✅ |
| state | An opaque value provided to the authorize endpoint. The same value is returned to you when the endpoint sends its reply. Enables you to compare value sent and received, to prevent CSRF | ✅ |
Here are the additional scopes you can use
| Field | Description | Optional |
|---|---|---|
| cpid | Return the game region for League of Legends | ✅ |
| offline_access | Allows refresh tokens to be used to retrieve new access_tokens that have access to the /userinfo endpoint | ✅ |
| account | ??? | ✅ |
| Returns the email of the account (seems not to work with response_type code) | ✅ | |
| profile | ??? | ✅ |
If you add all fields that are needed together you will get the following result:
https://auth.riotgames.com/authorize?redirect_uri=http://example.com/callback&client_id=exampleclientid&response_type=code&scope=openid
When the player successfully logs in, a 302 Redirect sends their browser to the redirect_uri that we included in our Sign In link.
This route receives a code as a url query-string parameter, and the server must then make a server-to-server request to exchange this code for access, identity, and refresh tokens. We’ll need to send a few things to Riot Sign On’s token endpoint to get these tokens back. The endpoint which is used here is the token endpoint.
| Field | Value | Description |
|---|---|---|
| Authorization | "Basic " + Base64Encode(client_id + ":" + client_secret) | Authorization Header |
| grant_type (Form Data) | "authorization_code" | Grant type |
| code (Form Data) | Individual per request (is a string) | RSO access code, which we received as a querystring parameter to our oauth2-callback route |
| redirect_uri (Form Data) | Same redirect URL that is passed in the login link | RSO access code, which we received as a querystring parameter to our oauth2-callback route |
Sample Response
{
"scope":"openid",
"expires_in":600,
"token_type":"Bearer",
"refresh_token":"dXJuOnJpb3Q6cOk1qdNal...8zN3NzbQ.xw96rZeGEMtrFlDCGLyA",
"id_token":"eyJhbGciJSUzI1mtpZCInMxIn0...YiI6InVybjpyaW90OpZDp2MTpNalV",
"sub_sid":"vldfsXGdDPoafSKfjS932cslKu8JDUKZ-woZvXDoq8",
"access_token":"eyJhbGciOi1NsImZCI6InM...NTkzMTA3LCJjaWQiJnmE-BVnZbYqY"
}Explanation of all fields from the response
| Field | Description |
|---|---|
| scope | Details what level of access the given Access Token provides. See the scopes list for more information |
| expires_in | Life span of the access token |
| token_type | Method of authorization token provides. Bearer means the entire token should be provided |
| sub_sid | The identifier of an existing session (SID) for the subject (player) |
| access_token | Undecryptable JWT Token. Used for scoped authentication of a client and player to a resource |
| id_token | Decryptable JWT Token. Provides information to authenticate a player’s identity |
| refresh_token | Issued for the purpose of obtaining new access tokens when an older one expires |
Coming soon...