- Player should be able to play anonymously (however he might be exempted from the leaderboards - no shirt, no pants, no identity)
- Whenever Gamecenter or Facebook ID is provided, we can bind user profile to the identity
- Player should be able to access the game from the multiple devices (exclusively, though)
- Identity should persist even if identity service is not available right now (cant login to facebook?)
- Game should handle change of the identity predictably - either prompt to create new account or not (logged as another user)
- There are should be a method to reset the identity (and maybe to restore it)
- There can be multiple vendor devices (android and iOS for example)
On the device we have
- Vendor-based UID
- Manufactorer, hardware type etc
- Multiple identities (or none)
- random clientId (generated on first run)
User has a server-side identity (never shown to the client) SSID
User's client can have multiple local identities associated to the SSID (only at the server)
User can use only one identity exclusively at one time (can't play from different devices at the same time)
Authentication is granted through transparent API
There's a weak and strong identities (and perhaps some priority within), i.e. facebook has priority over deviceId/clientId
There's a rules to sync the user's state
Also there are friends (tied to some strong identities, but let's forefit it for now)
User present his local identities to be able to find out preexisting profile
This should never reveal sensitive information (like raw fb-id)
Authentication should grant and access-token, which can and will expire
We should take some care about replay attacks (include timestamp and has if id+timestamp in authentication)
Authentication tokens are never the same across user owned devices
/authenticate(clientId, socialId1...) -> access-token /login(access-token, timestamp) -> ok