One way to handle these things:
- Player logs into the online service in the client
- The online service returns a unique id for that player and an authentication token
- The unique id and token are used by the dedicated server to verify with the online service
One thing that you can do in your online service is make sure that each dedicated server is generating their own unique information (nonce - number used once, token, etc.) that is part of the published data for that dedicated server instance. Then the server can quickly validate that the client joined from the online service information because the unique info can be verified and only have been supplied from the online service. If you change this number often enough, it won’t be subject to various types of timing related spoofing attempts. Xbox Live uses something similar, but with the addition of a encrypted networking layer.
Make sure you’re using SSL for all of your REST communication for both privacy of your players and to make man-in-the-middle attacks harder