They get your username, they check with Steam (who reply Yes/No) to make sure you have authorised them to use your details. I think they also get your custom names / SteamID because that's linked to your username anyway. They don't get anything else.

They don't get any permissions above and beyond what a random stranger on the Internet gets (so public-only visibility, and nothing else), they don't get any passwords, they don't get permission to "do" anything to your account at all.

The only thing to be sure of is that the website sends you to steam itself, where you should normally already be logged on, and you get an "authorise" button. You shouldn't need to enter your password or username or ANYTHING so long as you've been logged into the steam website recently. If anything asks you for more details or to "sign in again", close it, go to steampowered.com yourself, log in, and then go back to it.

In essence, it's pretty safe. They aren't getting any information out of you, they are just asking steam "This guy says he is logged into Steam. Is that right?" and Steam replies Yes (with your SteamID, which is linked to your username) or No. That's it.

They can gain access to your steam account's information, such as games you own, games you have on your wishlist, stats, friendlist, VAC bans (If you have one), and a few developer things, and a uniquie identifer for your account only.

It redirects to https://steamcommunity.com/openid/ which is a valid link to enter your steam information into, it even tells you:


Why sign in through Steam?
By signing in through Steam, www.wishlistnotifier.com will be able to identify you within the Steam Community and retrieve your public gameplay information (such as stats and achievements).

Steam will not reveal your username or password to this site, rather a unique numeric identifier will be shared. You should never enter your Steam login credentials into a third party website!

Sora is either lying or doesn't have any idea what he's talking about. Ledow ir right, they won't get any "developer things", they will just get back your SteamID 64bits. Not even your username. However, this SteamID is used in the url for your profile in the form steamcommunity[dot]com/profile/SteamID, so they can if they want go to this URL. In this case they can access whatever you have in your profile, but as Ledow said, they can only access the public information you have in your profile.

Which means that:
Public profile -> all your info.
Any other privacy setting -> only your Alias, your Avatar and VAC/trade status. No friend list, no game list nothing else.

Originally posted by Dr. House:

Sora is either lying or doesn't have any idea what he's talking about. Ledow ir right, they won't get any "developer things", they will just get back your SteamID 64bits. Not even your username. However, this SteamID is used in the url for your profile in the form steamcommunity[dot]com/profile/SteamID, so they can if they want go to this URL. In this case they can access whatever you have in your profile, but as Ledow said, they can only access the public information you have in your profile.

Which means that:
Public profile -> all your info.
Any other privacy setting -> only your Alias, your Avatar and VAC/trade status. No friend list, no game list nothing else.

Steam API says other wise but w/e
Edit; You are right on the privacy settings though.

Public Data

steamid
personaname
profileurl
avatar
avatarmedium
avatarfull
personastate
communityvisibilitystate
profilestate
lastlogoff
commentpermission

Private Data

realname
primaryclanid
timecreated
gameid
gameserverip
gameextrainfo
cityid
loccountrycode
locstatecode
loccityid

Edit Again;

friendslist (Optional)
If the profile is not public or there are no available entries for the given relationship only an empty object will be returned.

friends (Array)
steamid
relationship
friend_since

If you want further information its public google it.

Originally posted by ♥ Sora ♥:

Originally posted by Dr. House:

Sora is either lying or doesn't have any idea what he's talking about. Ledow ir right, they won't get any "developer things", they will just get back your SteamID 64bits. Not even your username. However, this SteamID is used in the url for your profile in the form steamcommunity[dot]com/profile/SteamID, so they can if they want go to this URL. In this case they can access whatever you have in your profile, but as Ledow said, they can only access the public information you have in your profile.

Which means that:
Public profile -> all your info.
Any other privacy setting -> only your Alias, your Avatar and VAC/trade status. No friend list, no game list nothing else.

Steam API says other wise but w/e
Edit; You are right on the privacy settings though.

Public Data

steamid
personaname
profileurl
avatar
avatarmedium
avatarfull
personastate
communityvisibilitystate
profilestate
lastlogoff
commentpermission

Private Data

realname
primaryclanid
timecreated
gameid
gameserverip
gameextrainfo
cityid
loccountrycode
locstatecode
loccityid

Edit Again;

friendslist (Optional)
If the profile is not public or there are no available entries for the given relationship only an empty object will be returned.

friends (Array)
steamid
relationship
friend_since

If you want further information its public google it.

I don't need further information. Steam API has nothing to to with Steam OpenID.
Accessing a site with Steam OpenID does not give the site any more access with the API that what it has without OpenID access. They're two independent things.
I was right in everything I said.

Also, all the info you calim that is obtainable thought the Steam API is easily obtainable just in your profile: http://steamcommunity.com/id/Darth_Revan?xml=1

Public Data

steamid -> <steamID64>76561197996829374</steamID64>
personaname -> <steamID><![CDATA[ ♥ Sora ♥ ]]></steamID>
profileurl -> http://steamcommunity.com/profiles/76561197996829374
avatar -> http://media.steampowered.com/steamcommunity/public/images/avatars/e2/e2f5e5f66bdf4062325a7db85d5b15646a218ec3.jpg
avatarmedium -> http://media.steampowered.com/steamcommunity/public/images/avatars/e2/e2f5e5f66bdf4062325a7db85d5b15646a218ec3_medium.jpg
avatarfull -> http://media.steampowered.com/steamcommunity/public/images/avatars/e2/e2f5e5f66bdf4062325a7db85d5b15646a218ec3_full.jpg
personastate -> <onlineState>in-game</onlineState>
communityvisibilitystate -> <visibilityState>3</visibilityState>
profilestate -> <privacyState>public</privacyState>
lastlogoff -> <stateMessage><![CDATA[ In-Game<br />Faerie Solitaire ]]></stateMessage>

Still, this has NOTHING to do with login thought Steam OpenID in a website.

what about this:

http://notoriouses.com

how can v know which and which not?

i mean those that have steam button that goes through steam are all those safe?

@dr.house Actually, you are wrong in pretty much everything you said. Steam's OpenID API will send:

steamid
personaname
profileurl
avatar
avatarmedium
avatarfull
personastate
communityvisibilitystate
profilestate
lastlogoff
commentpermission



Source: I use Steam OpenID on my website.