why is this whole thing only working with client-id 0000000048093EE3 ??

michabbb commented 5 years ago

hi there, i cannot remember how long i am trying to make oauth working with my own app/clientid. i always get to the point where i get the access and refresh token, but then.....

but instead of using the login url of this package:

https://login.live.com/oauth20_authorize.srf?display=touch&scope=service%3A%3Auser.auth.xboxlive.com%3A%3AMBI_SSL&redirect_uri=https%3A%2F%2Flogin.live.com%2Foauth20_desktop.srf&locale=en&response_type=token&client_id=0000000048093EE3

i always used this url:

https://login.live.com/oauth20_authorize.srf?client_id=000000004C2353AB&response_type=token&scope=Xboxlive.signin+Xboxlive.offline_access&redirect_uri=https://github.com/michabbb

with that code i do my

https://user.auth.xboxlive.com/user/authenticate

{
  "RelyingParty": "http://auth.xboxlive.com",
  "TokenType": "JWT",
  "Properties": {
    "AuthMethod": "RPS",
    "SiteName": "user.auth.xboxlive.com",
    "RpsTicket": "<accesstoken>"
  }
}

and there i always get a 400 Bad Request error.

i don't understand the setup behind the working client-id 0000000048093EE3 and my own app.

if someone could help me here, that would be awesome, because this bothers me since years now and nobody was able or willing to help, as this seems to be the holy grail when it comes to working with the xbox live api.

🙏 🙏

tuxuser commented 5 years ago

Believe it or not, its expected behaviour!

You can only do UToken / XToken authentication with that specific client id, aka. Client == XboxLiveService.

All custom clients just rely on access_token / refresh_token for a specific client_id - You would use them to authenticate to your client, which in return sets f.e. a cookie.

To sum it up code-wise

manager = AuthenticationManager()
manager.email = "no@example.org"
manager.password = "12345678"

try:
    manager.authenticate()
except AuthenticationException as e:
    print('Email/Password authentication failed! Err: %s' % e)
    sys.exit(-1)

print('We got your windows live account cookies stored now')
print('Lets auth with the custom client_id/service')

custom_app_auth_url = 'https://login.live.com/oauth20_authorize.srf?client_id=000000004C2353AB&response_type=token&scope=Xboxlive.signin+Xboxlive.offline_access&redirect_uri=https://azure.myClientApp.com/xbl_related_app'

response = manager.authenticate_with_service('custom_app_auth_url')

print('Now check response.headers, response.cookies or response.body for the authorization data that the client app set')

If you like, join the discord chat server and provide a more real-world example - your redirect uri: https://github.com/michabbb did not make much sense.

michabbb commented 5 years ago

@tuxuser thanks a lot for you feedback !!! how can i contact you via discord, what´s your username ? mine is "michabbb" 😏

tuxuser commented 5 years ago

For this type of authentication, scope 'Xboxlive.signin Xboxlive.offline_access', a whitelisted client ID / webapp is required. You have to register for ID@Xbox program to make use of it.

michabbb commented 5 years ago

i never had proof of that, but that´s what i was thinking of. thank you so much for your efforts!

Mastok1979 commented 4 years ago

@tuxuser can you maybe help me how to register such an app in partner center for creator program? i turn around for long time now!

michabbb commented 4 years ago

@Mastok1979 good luck with tha. i tried this for years and never got feedback for my application. i really believe you need a personal connection to MS to get access that only real publishers get. mr "xboapi.com" recently created something new, maybe that helps: https://xboxauth.dev/

purbopanambang commented 4 years ago

Hi @tuxuser, I'm facing the same issue as @michabbb, always got 400 when I tried to request to retrieve XSTS token at this API https://user.auth.xboxlive.com/user/authenticate So is it not possible to get XSTS token with client-ID from my own app? Is there any other way to get XSTS with my own app? Thanks