403 error

[ariabox]

Hi, it gives 403 Forbidden error. I'm using latest Riot Client user agent also tried with different IP's still same error.

[floxay]

Riot is changing the auth flow, and now also utilizes hCaptcha.

By the looks of it there is now an rso-authenticator endpoint/service (https://authenticate.riotgames.com/api/v1/login) which replies with a login token, this token is then sent to https://auth.riotgames.com/api/v1/login-token where you get the cookies and will be able to log-in via a POST request to the good old https://auth.riotgames.com/api/v1/authorization

This means that the code in this repo will need significant changes; reverse/research how this "new" auth flow with rso-authenticator is working, how the temporal hCaptcha token is generated/retrieved for the /login authenticator endpoint, and more.

For a quick and temporary fix you can change the user-agent header value to something else, they seem to have blocked ones starting with RiotClient. This should work until they decide to reject/kill the PUT method, I guess.

[Ultronxr]

I have encountered this problem last week in my project. Changing the UA to a browser like Chrome may still results in 403 Forbidden. My fix is change the UA to PostmanRuntime/{your_postman_version} . And thanks to @floxay 's reply, I can know the real reason of this problem.

[floxay]

I have encountered this problem last week in my project. Changing the UA to a browser like Chrome may still results in 403 Forbidden. My fix is change the UA to PostmanRuntime/{your_postman_version} . And thanks to @floxay 's reply, I can know the real reason of this problem.

I would advise against using PostmanRuntime because they seem to blacklist user agent values rather than whitelisting them. A randomly generated string might even be more appropriate at this point as that would be effectively impossible to blacklist.

[Ultronxr]

I have encountered this problem last week in my project. Changing the UA to a browser like Chrome may still results in 403 Forbidden. My fix is change the UA to PostmanRuntime/{your_postman_version} . And thanks to @floxay 's reply, I can know the real reason of this problem.

I would advise against using PostmanRuntime because they seem to blacklist user agent values rather than whitelisting them. A randomly generated string might even be more appropriate at this point as that would be effectively impossible to blacklist.

Oh you are thoughtful, I agree with your advice. I will change my code immediately.

[floxay]

This is temporarily fixed with v1.0.5. As it is not a proper fix I'm not going to close this issue. I also ask @ariabox too to keep it open.

[bilbil5]

Yesterday everything was working but today I got error 403. Why? @floxay

[floxay]

I cannot reproduce that so my guess is that your IP (range?) or ASN is blocked.

[bilbil5]

Is there any way out of this? I reset my router but still the same

[floxay]

Try with a proxy.

[zimmermannmo]

proxies do not help, authorization through the client works

[floxay]

As mentioned in https://github.com/floxay/python-riot-auth/issues/18#issuecomment-1689402324, Riot has changed the auth flow and will most likely shut down the endpoints for the old one.

The Riot Client --and I think everything else-- is already using the new, extended auth flow with hCaptcha.

At the time of writing this reply this https://github.com/floxay/python-riot-auth v1.0.5 still works for me, if you get 403s then see https://github.com/floxay/python-riot-auth/issues/18#issuecomment-1696033581. If not even Tier/Level 1 (Elite) proxies help, I can't help you either.

I am going to lock and pin this issue as there is really nothing more to say about this and is just a source of spam.

I'm unsure if an auto hCaptcha solver is something that can be done considering it is a service entirely dedicated to block bots, so even if someone manages to create one it would require constant updates, especially if it's open source.

Realistically the only solution I see is to add support for a captcha solver service, which I will likely not do as in my opinion the only people who would pay for such service are people who make money off of doing something with these accounts; sell, hack etc., thing I do not support and want anything to do with.

This situation sucks for those who are like me and want to use auth for something essentially harmless, in my case it is to automatically check for new VALORANT updates.