6.7 Independent Servers: NEX

6.7.1 Authentication Tokens

This chapter applies to all applications that provide services via an independent server, regardless of whether the user has registered a Nintendo Network account. If your application provides services via an independent server only to users with a Nintendo Network account, see section 6.8.1 Service Tokens.

Before communicating with an independent server, you must first get an authentication token from Nintendo's authentication server. If you use BOSS to connect to the independent server, getting an authentication token is not required. If the principal ID is used on the independent server side, you must decrypt and verify the authentication token and use the values included in it. Even if the independent server does not use the principal ID, to ensure the security of the independent server Nintendo recommends decrypting and verifying the authentication token to confirm that the connecting client has been successfully authenticated. If you do not decrypt and verify authentication tokens, Nintendo strongly recommends ensuring the security of the independent server by some independent means.

Use CTR-NEX to get the authentication tokens. It is prohibited to save authentication tokens for later use, such as in save data.

If you use a game server provided by Nintendo, then you do not need to implement authentication in your application, because the authentication server automatically authenticates during CTR-NEX login. However, you must log into the friend server (by calling nn::friends::Login) in advance.

You can configure the authentication token to expire by comparing the current time against the token issuance time included in the authentication token, and treating the token as invalid if more than a certain amount of time has passed. Configure this expiration as appropriate for your application, and get a new token if the current one has expired.

In order to minimize server load, only call the nn::nex::IndependentServer::RequestAuthenticationToken function (for getting an authentication token from Nintendo's authentication server) once per application launch. This excludes cases where the authentication token has expired.

You must take the following measures when sending an authentication token acquired from Nintendo's authentication server to an independent server. 

  • Secure the communication pathway by encrypting the data. If for some reason you cannot secure the communication pathway with encryption, set the token's valid period to be a short amount of time in order to decrease the risk entailed by eavesdropping.
  • Implement the process in such a way as to protect against replay attacks.

 

 

6.7.1.1 Checking Acquisition of Authentication Tokens

Guideline Item

Before connecting with an independent server, the application must use CTR-NEX to get an authentication token for the independent server from the Nintendo authentication server. The application must not save the authentication token in save data or anywhere else for reuse.

Software to Be Tested

Applications that allow users without Nintendo Network accounts to connect to independent servers.

Exceptions
Services provided via an independent server using BOSS features.
Test Method
  1. Connect to the independent server.
  2. Close the application and then restart the system.
  3. Refer to the CTR Network Error Simulation Manual, and set the Authentication Server Error Simulator to generate error 002-0102 (Service is stopped for this user [Game server-side]).
  4. Connect to the independent server.
Pass/Fail Determination

Passes if error 002-0102 occurs in step 4.

6.7.1.2 Restrictions on the Frequency of Getting Authentication Tokens

Guideline Item
The application must only call the nn::nex::IndependentServer::RequestAuthenticationToken function to obtain an authentication token once per application launch.
Software to Be Tested
Applications that allow users without Nintendo Network accounts to connect to independent servers.
Exceptions
Cases where the application calls the function again because the authentication token has expired.
Test Method
Check the source code.
Pass/Fail Determination
Passes if the application only calls the function to obtain an authentication token once per application launch.

6.7.1.3 Using the Principal ID Included in the Authentication Token

Guideline Item
Independent servers must use the principal ID included in the authentication token.
Software to Be Tested

Applications that provide services via an independent server and use the principal ID issued by the friend server on an independent server.

Test Method

Check the source code.

Pass/Fail Determination
Passes if the independent server does not directly acquire the principal ID from the client and then take it on faith that the ID is correct, but instead uses the principal ID included in the authentication token.

6.7.2 Supporting Multiple Server Environments

Nintendo provides multiple server environments. In addition to the production environment, where there are authentication servers, friend servers, and other server groups used by general users, there is also the development environment used by developers and the Lotcheck environment used for Lotcheck.

It is possible that principal IDs can overlap between different server environments. When identifying a user on an independent server, you must handle the principal ID together in combination with the server environment type, and treat that combination as the unique ID. You must not treat the principal ID as a unique ID by itself. See the "Independent Servers" chapter of the CTR-NEX Manual for details.

Note:

For example, the following server environment types exist.

  • D1 to D9: Development Environment
  • L1 to L9: Production Environment
  • S1 to S9: Lotcheck Environment

The server environment type always consists of one uppercase letter (A-Z) followed by a single-digit number (1-9), as in "L1". Design your specifications to support any combination used as this value without problems.

6.7.2.1 Identifying Users in Multiple Authentication Server Environments

Guideline Item
Applications must use the combination of principal ID and environment name to identify users.
Software to Be Tested

Applications that use the principal ID from the authentication token to identify users on an independent server.

Test Method
Check the source code.
Pass/Fail Determination
Passes if the application uses a combination of the principal ID and environment name as the unique ID it evaluates when identifying a user.

 


CONFIDENTIAL