Login / Logout

Current Login Process

1) Retrieves NFL token via /v1/oauth using username, password, clientId, and clientSecret

See PASSWORD section under OAuth2

NOTE: We are recommending all clients to migrate the login flow to Gigya as we plan to deprecate the current login (oauth/token) flow.

Even with the new flow, the same NFL Bearer token will be kept for ease of migration.

User Login/Logout with Gigya

User login utilizes Gigya as RaaS. For more detailed documentation, please refer to https://developers.gigya.com/display/GD/APIs%2C+SDKs+and+Connectors

Using the Gigya SDK.

Gigya has various SDK that can be utilized from various platform: Web SDK, Mobile SDK, and direct REST API. In order to access Gigya's API (either through SDK, or direct REST API), SITE ID is required. Please contact NFL for a Gigya Site ID to use. NFL recommends using appropriate Gigya SDK for your platform.

Gigya Login API

** Gamepass Europe please see section Gigya Login for Gamepass Europe

Only two parameters are required for login. loginID and password. Please refer to Gigya's documentation. For Web SDK: https://developers.gigya.com/display/GD/accounts.login+JS

Sample response

{
  "sessionInfo": {
    "cookieName": "gac_2_ddxTpQZ_zGiuCsCePVKC6bZcBp_qD-pjql",
    "cookieValue": "VC1_739B3B4AD534B6F62AHNld3Knl98Q_vGL5_SxwA=="
  },
  "UID": "e862a450214c46b3973ff3c8368d1c7e",
  "UIDSignature": "iwPwRr3oDmbb8hhTeoO5JHTrc2Y=",
  "signatureTimestamp": "1344415327",
  "loginProvider": "site",
  "isRegistered": true,
  "registeredTimestamp": 1344415327000,
  "registered": "2012-08-08T08:42:07Z",
  "isActive": true,
...

UID, UIDSignature, and signatureTimestamp is used to exchange for NFL token via NFL oAuth2 endpoint. Please see [GIGYA_SIGNATURE grant type under oAuth] (../oauth2.md#gigya_signature_type)

Gigya Login for Gamepass Europe

1) Login via Gigya using username/password and receive Gigya Signature

Only two parameters are required for login. loginID and password. Please refer to Gigya's documentation. For Web SDK: https://developers.gigya.com/display/GD/accounts.login+JS

Sample login success response

{
  "sessionInfo": {
    "cookieName": "gac_2_ddxTpQZ_zGiuCsCePVKC6bZcBp_qD-pjql",
    "cookieValue": "VC1_739B3B4AD534B6F62AHNld3Knl98Q_vGL5_SxwA=="
  },
  "UID": "e862a450214c46b3973ff3c8368d1c7e",
  "UIDSignature": "iwPwRr3oDmbb8hhTeoO5JHTrc2Y=",
  "signatureTimestamp": "1344415327",
  "loginProvider": "site",
  "isRegistered": true,
  "registeredTimestamp": 1344415327000,
  "registered": "2012-08-08T08:42:07Z",
  "isActive": true,
...

If you are getting following error message during login, that means the accounts need to agree NFL ToS and Gamepass Europe ToS before they can successfully login.

Sample login error response due to missing ToS

{
  ...
  "errorCode": 206001,
  "errorDetails": "Missing required fields for registration: preferences.terms.nfltermsofservice.isConsentGranted, preferences.terms.gpeuropetos.isConsentGranted"
  ...
  "regToken": "st2.DkrPgeDXerOj3REw-GENjaOYYUg.WM3rejee7-qvyk0LJ0hhiQ.ZRH21kz85msmFveeNgCDx-uNMx0",
  ...
}

In order to accept those ToS, the client needs to call setAccountInfo endpoint with regToken returned by previous response to Gigya when user re-accepts the terms of services.

EX] Using Web SDK: https://developers.gigya.com/display/GD/accounts.setAccountInfo+JS with following parameters:

var params = {
        preferences: {
            terms: {
                nfltermsofservice : {
                    isConsentGranted : true
                },
                gpeuropetos : {
                    isConsentGranted : true
                }              
            }
        },
        "regToken" : "{$regToken}"
}

After setAccountInfo is called, the user should be redirected to login again ().

2) UID, UIDSignature, and signatureTimestamp is used to exchange for NFL token via NFL oAuth2 endpoint. Please see [GIGYA_SIGNATURE grant type under oAuth] (../oauth2.md#gigya_signature_type)

Logout

When user initiates a logout, Gigya logout has be called to clean up the session data on Gigya side. https://developers.gigya.com/display/GD/accounts.logout+JS

Also if clients have NFL access token and refresh token retrieved from NFL OAuth endpoint, they need to wipe out those tokens stored in client side as well.

Step-By-Step example

Web Diagram

Mobile Diagram

Step 1) login with Gigya

curl -X POST \
  'https://accounts.us1.gigya.com/accounts.login?apiKey=${gigya_site_id}' \
  -H 'content-type: multipart/form-data' \
  -F loginID=${username} \
  -F password=${password}

Step 2) Extract gigya_UID, gigya_signature, gigya_signature_timestamp from the response

Step 3) exchange user token from NFL API

curl -X POST \
  https://api.nfl.com/v1/oauth/token \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'grant_type=gigya_signature&client_id=${client_id}&client_secret=${client_secret}&username=${username}&gigya_UID=${gigya_UID}&gigya_signature=${gigya_signature}&gigya_signature_timestamp=${gigya_signature_timestamp}'