Invalid token

[Setzu]

Hello,

I can not connect to the API with my email and password, i have this following error : {"error":"invalid_token","error_description":"Invalid token","error_code":4097,"docs":"https://auth.api.sonyentertainmentnetwork.com/docs/","parameters":["captchatokenmissing"]}

Some time ago, it worked

[voidby]

i have same problem

[zexz]

same here

[Tustin]

Captcha was added to their login form recently. Not sure if there's a good way for me to implement it into this library but if anyone has any ideas, feel free to let me know.

[DJLunacy]

The login form where it asks if you're a robot with a checkbox and the visual catchpa?

If so that's been on the form for a couple of months at least on the website. Did they just start enforcing that through the API? I don't remember if that's been on the iOS app for the same amount of time.

[Tustin]

It's existed for a while but I think it was only enforced if you had some failed login attempts. Now it seems to be enforced each time you login, regardless if it's your first attempt or not. That change was also implemented in the API because I remember some people occasionally got it when they were using this with multiple accounts.

[DJLunacy]

Do you think there would be a way that once the account is logged in via desktop we could pass the authentication (ex via a cookie) somehow, possibly through a curl request that would let those commands process again?

[Tustin]

Yeah, I made a program a while back that's basically the PSN app for Windows and I store the auth and refresh tokens. It uses the refresh token each launch to authenticate and it still works fine. So as long as you can save the refresh token, you can use that to authenticate each time without the captcha (hopefully).

[DJLunacy]

That's what I was thinking. If you would like some help testing that let me know. I also have a MacBook for testing as well.

[bozzit]

Hey,

Ya my stuff is also broken, and can't use the API anymore failing with the invalid captchtoken, and even from desktop (Firefox) on that account I have to solve the captcha every time I log in

A workaround would be great.

If that helps any I can test things via API and various browsers Windows, Mac, just let me know what you need.

[bozzit]

So does this mean I can use a standard browser Login using my credentials, solve the reCaptcha and take the refresh token from the st_session cookie, and use the refresh token with GrabNewTokens() to get new tokens and use these tokens to do API Calls?

or am i way off here?

Thanks

[voidby]

So there are no working ways to login? Would be grateful for the working method.

[Yoymoyroy]

"Yeah, I made a program a while back that's basically the PSN app for Windows and I store the auth and refresh tokens. It uses the refresh token each launch to authenticate and it still works fine. So as long as you can save the refresh token, you can use that to authenticate each time without the captcha (hopefully)." @tustin if it works can you upload it? Greetings from Germany

[dCypherNx]

how can I get these codes, I'm using fiddler, but I don't know where to look

[dCypherNx]

I got refreshtoken by using Two-Step authentication method, and then I was able to login usin this refreshtoken. But now, when I try to login with refreshtoken again I receive this message: { "error":"invalid_grant", "error_description":"ToSUA must be re-accepted", "docs":"https://auth.api.sonyentertainmentnetwork.com/docs/", "error_code":103 }

[DJLunacy]

@cipherNexus How are you using the 2FA?

It sounds like all you would need to is log in to the account, or better yet the PS4 after a firmware update. They just refreshed the TOC so you'll need to do them.

[markl181]

@cipherNexus can you provide some details or a link on how the 2 step authentication works please? I logged into my PS4 and accepted the new terms and my API connection still won't work, so I think this is the fix.

[bozzit]

The following link shows how to setup 2 Step Verification on your Playstation account.

https://www.youtube.com/watch?v=38ZapwnHwgY

I guess this removes the reCaptcha since there is no need to check if you are a human since a code has to be retrieved from your mobile and entered to sign on. The part I'm unclear about is once this is turned on how does this make Authentication work via the API to get new refresh tokens. Or was @cipherNexus able to get refresh tokens by some other means or had them saved from before this all stopped working.

Any clarifications / details would be helpful, so I can get my web App Working again.

Thanks in advance

[dCypherNx]

After set the 2 step verification in playstation account, navigated to psn login URL, put the user and pwd and go ahead, when the two step page renders, grab the ticket_uuid from the new URL and this is the last step in browser. Now, on your project, for the two_factor_auth_request method, pass this ticket_uuid and the code you received on your phone as parameter, then store the refresh token returned.

After these steps, and after acept the new TOC as @DJLunacy said, it worked !

[bozzit]

I Just Tried this and there is no ticket_uuid in the URL in my browser (Firefox).

So Username/Password (solve the Im not a robot) get prompted for a 2step Verification get the code on my phone. Url at that point doesn't have ticket_uuid I have a client_id in there.

What am I missing? Need to Fiddler the requests? Don't have fiddler installed / configured :(

Here is the URL when I'm sitting on the Code Verification screen

https://id.sonyentertainmentnetwork.com/signin/?ui=pr&response_type=token&scope=user%3Aaccount.phone.masked.get%20kamaji%3Aget_account_hash%20user%3Aaccount.notification.create%20user%3Aaccount.authentication.mode.get%20openid%3Acontent_ctrl%20user%3Aaccount.subaccounts.get%20openid%3Auser_id%20openid%3Aonline_id%20openid%3Actry_code%20openid%3Alang%20kamaji%3Aget_internal_entitlements%20kamaji%3Aactivity_feed_set_feed_privacy%20user%3Aaccount.communication.get%20user%3AverifiedAccount.get%20kamaji%3Aaccount_link_user_link_account&redirect_uri=https%3A%2F%2Fid.sonyentertainmentnetwork.com%2Fid%2Fmanagement%2F%23%2Fp%2Fsecurity%2Flist%3Ftoken_type%3Dbearer%26expires_in%3D1199%26entry%3Dsecurity&client_id=ce381e15-xxxx-xxxx-8384-0cf63db17f6a&state=52d287022c2e4ad3fb888afe980828b&token_type=bearer&expires_in=1199&entry=security&error=login_required&error_code=4165&error_description=User+is+not+authenticated#/signin2sv/code?entry=%2Fsignin

[Tustin]

@bozzit 2FA is a pain in the ass to deal with but this is the route I went with when I was working on a little project using this. You can probably make it better but IIRC this worked fine. The code probably needs to be cleaned up because of debugging stuff.

if ($_POST['email'] && $_POST['password']) {
    try {
        $account = new \PSN\Auth($_POST['email'], $_POST['password']);
    } 
    catch (\PSN\AuthException $e) {
        $error = $e->GetError();

        //Just display the error if it wasn't a 2fa exception
        var_dump($e->error);
        var_dump($e);

        if ($e->error != "2fa_code_required") {
            header("Content-Type: application/json");
            die($error);
        }

        $ticket = $e->ticket;

        echo $blade->make('2fa', ['ticket' => $ticket]);
        die();
    }
}

if ($_POST['code'] && $_POST['ticket']) {
    try {
        $account = new \PSN\Auth("", "", $_POST['ticket'], $_POST['code']);
        $user = new \PSN\User($account->GetTokens());
        echo $blade->make('dob', ['name' => $user->Me()->profile->onlineId]);
        die();
    } catch (\PSN\AuthException $e) {
        header("Content-Type: application/json");
        die($e->GetError());
    }
}

[bozzit]

Thanks @tustin for your post the only reason I'm trying to 2fa is to get a new set of tokens and refresh tokens I can save and re-use.

in your code above

 $account = new \PSN\Auth($_POST['email'], $_POST['password']);

the API returns right away

{"error":"invalid_token","error_description":"Invalid token","error_code":4097,"docs":"https://auth.api.sonyentertainmentnetwork.com/docs/","parameters":["captchatokenmissing"]}

I don't even get to the 2fa part so I won't be able to get the ticket id this way.

So it was suggested above that from the PSN website interface I could enter my username/password solve the reCaptcha and get to the page that requests the 2fa code and get the ticket ID from the URL.

But I couldn't see the ticket_uuid in the URLs unless it was in the encrypted payload.

Then From the API use the the ticket number and the code from my phone to finally authenticate and get a set of Tokens.

Thoughts?

[dCypherNx]

@bozzit ,try this link https://auth.api.sonyentertainmentnetwork.com/login.jsp As soon as check that you're not a bot, you will be redirected for a page that show you the ticket ID as I show below

https://auth.api.sonyentertainmentnetwork.com/signin/#/signin2sv/code?response_type=token&scope=kamaji%3Asocial_get_graph%2Ckamaji%3Augc%3Adistributor%2Ckamaji%3Aget_account_hash%2Ccapone%3Areport_submission%2Cuser%3Aaccount.get&client_id=cf1024e2-80a2-41b6-bceb-f0f089ba7e83&redirect_uri=https%3A%2F%2Fsocial.playstation.com%2Fstarblaster%2Fpdc%2Fmaster%2Fauth%2Fresponse-de5d536903798614ed1ba66d24e7c8de.html%3FrequestID%3Diframe_request_d3d4b6fc-5795-42cd-b54a-54081ccf24c4%26baseUrl%3D%2Fstarblaster%2Fpdc%2Fmaster%2F%26targetOrigin%3Dhttps%3A%2F%2Fwww.playstation.com&prompt=none&ticket_uuid=b7aeb485-cfaa-4ec2-a6c7-0f23bcee5bc5&layout_type=popup&entry=%2Fsignin2sv%2Fcode

[bozzit]

@cipherNexus OMG Thank you SOOOO much. I think this worked. I'll do more testing and change my app to save the refresh token to db and use Refresh instead of Re-Auth every time.

I'll let you know if I run into any other issues with this. Appreciate the help

[bozzit]

Back in business. Thank you to all that provided help and feedback.

Much Appreciated

[Tustin]

Glad to hear you got it working. I'll try to come up with a way of maybe doing what other services do when you want to connect with your PSN account; redirect to the actual login page and have it redirect back. Don't know if it'll be possible but I think it's the only option at this point.

[Tustin]

Ok, so I have some bad news about this. My plan was to make some static function in Auth.php that would just redirect to the login form that Sony uses for other applications. You would be able to pass your own callback URL that would parse the response but it seems like they have checks for that: {"error":"redirect_uri_mismatch","error_description":"Invalid redirect: http://localhost/psn-php/callback.php does not match one of the registered values.","error_code":4174,"docs":"https://auth.api.sonyentertainmentnetwork.com/docs/","parameters":["Invalidredirect:http://localhost/psn-php/callback.phpdoesnotmatchoneoftheregisteredvalues."]} So I'm not totally sure if it's possible this way. Unless I find some bugged service that allows any custom redirects, this might not be an option.

[chardido]

@Tustin there is something we can do in order to get the online friends list?

[bozzit]

@chardido http://tusticles.com/psn-php/friends.html should be a good start for what you are asking. You should of started another issue your question doesn't really belong in this thread.

[bozzit]

@Tustin maybe a clue for you. I noticed that when you enable 2FV (2fa) that Sony has a way to specify a verification code for older devices such as PS3, this could maybe used by your class to bypass the reCaptcha.

Just a thought.

[jhewt]

Hello there, I'm a mantainer at other PSN library made in node.js (gumer-psn).

I've recently trying to look another way to auth to their server, hopefuly to bypass their new enforced reCapchas.

While trying different methods to auth, Sony has made me very clear that they really don't want us to sniff around as they recently send an abuse report to our office ISP and VPN provider.

So, while researching try to be careful. Here's what they sent to our VPN provider (it's actually a server)

IP address(es) were blacklisted from the PlayStation Network [201710084551] Date: Oct 9, 2017 4:19am UTC From: no-reply@snei.sony.com To: abuse@digitalocean.com

To whom it may concern,

Pursuant to Sony Interactive Entertainment LLC ("SIE") corporate policy, the below IP addresses were blacklisted from using our services because SIE detected activity that is abusive to our network services. In our determination, the abusive activity was not related to velocity or volume (many users behind the same IP address, i.e. NAT), but matched the specific patterns of known abuse of our publicly available services. This abuse may be the result of a computer on your network that has been compromised and is participating in a botnet abuse of our services.

The following table of IP addresses, dates and times should help you correlate the origin of the abusive activity. The time stamps are approximate from our logs. The actual timing of the events depend on the signature matched. It is very likely to have occurred both before, during and following the times listed.

Approximate Time Range (UTC), IP Address, Reason 2017-10-08 11:18 ~ 2017-10-08 11:48 (UTC), 192.34.59.103, Account Takeover Attempts

It is most likely the attack traffic is directed at one of the following endpoints:

account.sonyentertainmentnetwork.com auth.np.ac.playstation.net auth.api.sonyentertainmentnetwork.com auth.api.np.ac.playstation.net

These endpoints on our network are resolved by Geo DNS, so the IP addresses they resolve to will depend on the originating IP address.

The destination port will be TCP 443.

Please take the necessary measures to correct the malicious activity from the above-listed IP addresses as soon as possible to avoid any further disruptions. If we were to remove any of these IP addresses from the blacklist and subsequent abusive activity is detected, the IP address will be promptly blacklisted again.

We thank you for your prompt attention to this matter. If you require assistance or additional information please contact snei-noc-abuse@am.sony.com and include the IP address in question.

Thank you

[ErneX]

@cipherNexus the "ToSUA must be re-accepted" message I think it's just that you need to accept the new terms and conditions, have you tried signing in on a browser with that account?

edit: nevermind, it's a 2FA message indeed

[Octolus]

@jhewt I understand that, but that's an false abuse report from them. I can't imagine you were trying to take over any accounts, they are false-detecting bruteforce..

[mgp25]

@Tustin @bozzit can you point me where the refresh token is or where can i found it? Because https://auth.api.sonyentertainmentnetwork.com/2.0/oauth/token answers with an access_token but no refresh_token is found

Regards

[bozzit]

@mgp25 check out my step by step in #53

[mgp25]

@bozzit thanks, that definetely worked! 👍

[mgp25]

Hello people, today i was reading some stuff when i noticed this information, we can bypass reCaptcha using the following methods:

• http://rickyhan.com/jekyll/update/2017/11/10/bypassing-recaptcha.html
• https://www.blackhat.com/docs/asia-16/materials/asia-16-Sivakorn-Im-Not-a-Human-Breaking-the-Google-reCAPTCHA-wp.pdf

Regards

[dandelaney8]

I tried the method above, and after logging in on https://auth.api.sonyentertainmentnetwork.com/login.jsp with my account that has 2FA enabled, I'm not getting redirected anywhere. All I get is an error saying "Incorrect e-mail address or password. Please try again."

I tried this earlier with the account before I enabled 2FA, and it logged me in and brought me to the API page with a title, an option to log out, and not much else. Did they change something since you tried this? If I can't get that ticket_uuid I assume this won't work for me.

Thanks! Dan

[dCypherNx]

After some time using 2FA, now I'm facing @dandelaney8 's same problem. Any suggest to fix now?

[BonkAssetReader]

Hello, use this to get ticket_uuid. https://www.bungie.net/en/User/SignIn/Psnid?code=000000