Web services for authorisation in external applications


First of all, if this is in the wrong section then I apologise - I have never submitted such a technical idea before... I considered putting it in the Community based projects forum but nothing there seemed to suggest Ideas... If anyone moves it then please PM me with where it was moved to.

To develop a web service, accessible to external applications, which ensures that the user who is registering on an external app is, indeed, who they say they are, and another one to check if a user is a leader of their alliance.

Currently external apps are able to do an awful lot - but everything is publicly accessible; there is no way for them to check that a player is who they say they are. I believe this would take us to a new level of external apps - secure apps! Apps where you are within an area which you know only your alliance can access...

The basic concept of the application
So basically I am thinking of writing an external app myself, which will be alliance-based. It is not meant to replace in-game forums, but is a tool to be used alongside them. To start with security will not be a problem - it will only be for my alliance. However in the long-term I would ideally like to open it up to all players / alliances. This is where the problem is.

The problem
The problem here is authorization. What is to stop a player in alliance A from registering under another players username and being able to view the site as seen by alliance B?

The solution
Technically there is more than one solution, as listed below, and maybe more. One web service will be common to both solutions - this will check if the user is a leader of their alliance.
  1. There is another web service which accepts their username and password and returns whether or not they're the correct combination. The problem here is that external apps using this web service will be able to store the password and ultimately the owner of the app will have access to that players account. One way around this is for Grepolis to change the users password and email it to them - but this is not ideal. The next solution is an attempt to resolve this.
  2. In brief
    There is another web service which accepts just their username but this time sends a verification email to that players email address (without ever revealing the email address to the external app).

    How it will work
    Now this is going to get rather complex but I am confident that, if this reached the devs, the devs would be able to understand it.

    The app also submits a redirect URL which contains a unique ID. We will call this unique ID "ID1". ID1 is stored against the username in the external apps' database. The redirect URL is stored in Grepolis' database.

    Grepolis then generates a 2nd unique ID (ID2) which is attached to the end of the link in the verification email. This link will point to something like http://en13.grepolis.com/verify.php?ID={ID2}. On visiting this page, the ID in the query string is checked against ID2, which is stored in the database next to the redirect URL. If they match then the user will be redirected to the redirect URL specified by the external app and the external app will then verify the ID in the URL they're taken to to ID1.

I believe that, if this were to be implemented, external apps would be capable of doing a whole lot more than they are currently limited to. Through solution #2 they would never, EVER have access to personal details such as the email address they're registered with, password, etc etc. Players would *only* be able to access the app if they have access to the email address stored in the Grepolis database for the username they entered.

Obviously this idea is still only at concept stage - but from what I know about web services, and the techniques I have talked about, this would achieve security within external apps.




Thread moved. This is not an applicable grepolis game idea. Maybe Ac04 can tell you something about this.


I have previously requested this, on more than one occasion. Currently, it has not been taken into account. I will try and submit yet another request, as it is something I've wanted to see for a good while.


Thanks ac04. I think this will make it possible to develop secure apps, such as mine. And the reason I have chosen web services for this idea is that they're language independent. I will be using VB.Net - I am sure other apps use PHP. Either one can connect to a web service and use it. How to do so I am not entirely sure yet as I have very little experience of web services; however I will be sure to check it out.


Sending the "ID2" from your mail to a third-party webservice could be a huge leak of security since it would allow the owner of the webservice to collect these ID2 and log in and steal the accounts.
Last edited by a moderator:


I see your concern, Ptaah, but I have several points to make in reply to that:

Firstly they would not request your in-game password and therefore would be unable to login.

Secondly you say that app creators could take players' usernames and passwords - even if they did get access to passwords, you trust the actual InnoGames employees themselves not to steal your account when you don't even know any of them personally. Now I am not saying that employees cannot be trusted by any stretch of the imagination - I am just making the point that they have access to your password and could quite easily steal it if they wished - however they don't as they want to keep their jobs. App developers would want a good reputation and would want to keep it that way - if they abuse their position and get found out, that would ruin their repuation and it wouldn't take long before everyone left them. Their app would also appear in the forbidden apps list.

My third and final point is that statistics such as unit count would require a connection to an official web service - this web service could check that the user has clicked the verification link (this would be stored in the form of a 0 or 1 in the table relating ID1 with ID2) every time it is connected to, thus preventing access to the data for the app creators unless the player has clicked the link. Due to having this new verification table in the Grepolis database, Grepolis could therefore keep track of who is using which apps and could give players the ability to disable access for a specific app. This app would then have access to only the bog standard information like Grepostats. Any information which is collected would become stagnant very soon after this point for active players.

I hope this answers your concerns. Please either reply to this or PM me if you are at all confused by this idea.

Last edited by a moderator:


WOW looks like I am re-awakening an old thread but I would love to see this implemented! :)