Sign in with Steam
Steam uses OpenID 2.0 (the 2007 legacy spec), not OAuth 2.0 or OIDC. Ory Kratos's social sign-in subsystem only speaks OAuth 2.0 / OIDC, so Steam cannot be configured directly as a Kratos provider. This page documents the bridge pattern. Reference: ory/integrates/social-sign-in/steam.
Steam by Valve is the world's largest PC gaming platform. Sign in with Steam is essential for gaming platforms, game launchers, community sites, and esports apps, but the protocol gap to OAuth 2.0 and OIDC requires a bridge component.
Recommended approach: an OpenID 2.0 to OIDC proxy
Deploy a small proxy in front of Steam's OpenID 2.0 endpoint that exposes an OIDC-compliant interface, then configure the proxy as a generic OIDC provider in Ory Identities.
The proxy receives the OIDC authorization request from Ory Identities, translates it to Steam's OpenID 2.0 flow, validates the
response, extracts the 64-bit Steam ID from openid.claimed_id, calls the Steam Web API (GetPlayerSummaries) for the profile,
and returns a normal id_token to Ory Identities.
Steam-specific quirks
- No email. Use
steam_idas the credential identifier in the identity schema. - No client registration. Steam doesn't issue a Client ID or Client Secret. A Steam Web API key (from steamcommunity.com/dev/apikey) is all you need for the profile call.
- Profile visibility. Some fields are blank for private profiles.
- Rate limits. Steam allows roughly 100,000 calls per day per API key.
