Closed michabbb closed 5 years ago
Believe it or not, its expected behaviour!
You can only do UToken / XToken authentication with that specific client id, aka. Client == XboxLiveService.
All custom clients just rely on access_token / refresh_token for a specific client_id - You would use them to authenticate to your client, which in return sets f.e. a cookie.
To sum it up code-wise
manager = AuthenticationManager()
manager.email = "no@example.org"
manager.password = "12345678"
try:
manager.authenticate()
except AuthenticationException as e:
print('Email/Password authentication failed! Err: %s' % e)
sys.exit(-1)
print('We got your windows live account cookies stored now')
print('Lets auth with the custom client_id/service')
custom_app_auth_url = 'https://login.live.com/oauth20_authorize.srf?client_id=000000004C2353AB&response_type=token&scope=Xboxlive.signin+Xboxlive.offline_access&redirect_uri=https://azure.myClientApp.com/xbl_related_app'
response = manager.authenticate_with_service('custom_app_auth_url')
print('Now check response.headers, response.cookies or response.body for the authorization data that the client app set')
If you like, join the discord chat server and provide a more real-world example - your redirect uri: https://github.com/michabbb did not make much sense.
@tuxuser thanks a lot for you feedback !!! how can i contact you via discord, what´s your username ? mine is "michabbb" 😏
For this type of authentication, scope 'Xboxlive.signin Xboxlive.offline_access', a whitelisted client ID / webapp is required. You have to register for ID@Xbox program to make use of it.
i never had proof of that, but that´s what i was thinking of. thank you so much for your efforts!
@tuxuser can you maybe help me how to register such an app in partner center for creator program? i turn around for long time now!
@Mastok1979 good luck with tha. i tried this for years and never got feedback for my application. i really believe you need a personal connection to MS to get access that only real publishers get. mr "xboapi.com" recently created something new, maybe that helps: https://xboxauth.dev/
Hi @tuxuser, I'm facing the same issue as @michabbb, always got 400 when I tried to request to retrieve XSTS token at this API
https://user.auth.xboxlive.com/user/authenticate
So is it not possible to get XSTS token with client-ID from my own app? Is there any other way to get XSTS with my own app?
Thanks
I have the same problem (unfortunally i work with js and not with python, but I think in this case doesn't matter the language) did you solve it?
@Ladvace https://gist.github.com/tuxuser/8b7cc153cdecd0a9c3f2694850fa90bd
thanks, I'm going to try
for some reason I still get Error 400 bad request, I don't understand if I'm entering a wrong token or whatever.
Why in the access tone you add d=
as here RpsTicket": "d=" + access_token,
@Ladvace you probably want to check out this code (js) and compare it to your own: https://github.com/unknownskl/xbox-webapi-node/blob/master/src/authentication.js#L306
@Ladvace you probably want to check out this code (js) and compare it to your own: https://github.com/unknownskl/xbox-webapi-node/blob/master/src/authentication.js#L306
I really appreciate but the request it's the same, same header and same body so still don't understand why, I'm using msal-node to take the token
@Ladvace one is a "compact token", other one isn't. ("d=" + token vs. token) Tbh, I dunno what the difference is - I just know the essence... One works, the other doesn't.
good to know, actually I just found the "normal token" version, btw it didn't fix my problem
Tbh, I dunno what the difference is - I just know the essence...
Of the 3 tokens we have (oauth2
, user
, xsts
), this is actually the one that Microsoft has provided some fragments of documentation on:
https://docs.microsoft.com/en-us/gaming/xbox-live/api-ref/xbox-live-rest/additional/edsauthorization
I think this "Properties": { … "RpsTicket": f"d={self.oauth.access_token}" }
parameter signifies it's a so-called "device token", but I could be wrong; their documentation doesn't really explain with certainty. :/
Also, FWIW, some stripped-down PoC API-hitting code I've written does not require 0000000048093EE3
anywhere in it. So I'm wondering if it would be possible or desirable to factor it out of xbox.webapi.authentication.manager
in the long run; given that users have got to roll our own Azure app anyway, this constant doesn't save us from having to bring our own client_id
as well.
(Just some thoughts; I'm not necessarily lobbying for this to be re-opened with non-negligible priority, given that having 0000000048093EE3
hard-coded seems to work as-is)
hi there, i cannot remember how long i am trying to make oauth working with my own app/clientid. i always get to the point where i get the access and refresh token, but then.....
but instead of using the login url of this package:
https://login.live.com/oauth20_authorize.srf?display=touch&scope=service%3A%3Auser.auth.xboxlive.com%3A%3AMBI_SSL&redirect_uri=https%3A%2F%2Flogin.live.com%2Foauth20_desktop.srf&locale=en&response_type=token&client_id=0000000048093EE3
i always used this url:
https://login.live.com/oauth20_authorize.srf?client_id=000000004C2353AB&response_type=token&scope=Xboxlive.signin+Xboxlive.offline_access&redirect_uri=https://github.com/michabbb
with that
code
i do myhttps://user.auth.xboxlive.com/user/authenticate
and there i always get a
400 Bad Request
error.i don't understand the setup behind the working client-id
0000000048093EE3
and my own app.if someone could help me here, that would be awesome, because this bothers me since years now and nobody was able or willing to help, as this seems to be the holy grail when it comes to working with the xbox live api.
🙏 🙏