Login/Register
Reverse engineering the Xbox One Smartglass app's API authorization header
Asked Answered
reverse-engineeringxboxwindows-live-idmitmproxyxbox-one
M

2

8

Since Microsoft decided to put the profile pages for Xbox Live users behind a login wall for some stupid reason I have been forced to find other means to determine if a Xbox Live user is online or not.

To do this I have used mitmproxy to figure out the requests being made by the Xbox One Smartglass app for iOS. It appears that for any request that requires authentication the app populates the "Authentication" header field with "XBL3.0 x={computed auth token}".

I have figured out that the app gets an access token by doing a POST request to https://login.live.com/oauth20_token.srf and passes in form encoded data of which one of the properties is the user's "refresh_token". You can get this refresh token by simply looking at any of these requests with mitmproxy.

The app then proceeds to do a POST request to https://user.auth.xboxlive.com/user/authenticate passing in a variety of information whose origin I cannot determine. Below is an example JSON payload of this request:

{
    "Properties": {
        "AuthMethod": "RPS", 
        "RpsHeader": "<data removed for safety>", 
        "RpsTicket": "<data removed for safety>", 
        "SiteName": "user.auth.xboxlive.com"
    }, 
    "RelyingParty": "http://auth.xboxlive.com", 
    "TokenType": "JWT"
}

The response of this request contains the following JSON:

{
    "DisplayClaims": {
        "xui": [
            {
                "uhs": "<data removed for safety>"
            }
        ]
    }, 
    "IssueInstant": "2014-08-02T23:44:56.5868148Z", 
    "NotAfter": "2014-08-16T23:44:56.5868148Z", 
    "Token": "<data removed for safety>"
}

The contents of "uhs" and "token" concatenated together appear to be the missing auth token from the "XBL3.0 x=" authorization header.

The problem is I have absolutely no familiarity with Microsoft's web stack and after hours of searching I cannot figure out where the values for "RpsHeader" and "RpsTicket" come from.

Meadows answered 2/8, 2014 at 23:57 Comment(1)
Since you can hide your presence and information from random users but still show it to friends it makes a lot of sense that the profile information is "hidden" behind "login wall".Rumney
R
0

I believe RPS refers to federated logins with live/microsoft accounts. So RpsHeader and RpsTicket are information received from the post to login.live.com. How that data is created from the data received from live.com might however be harder to figure out but I would guess it is taking some data from the love.com response and base64 encode it or something.

Rumney answered 27/8, 2014 at 17:56 Comment(0)
B
0

You're actually sending a GET request to https://login.live.com/oauth20_authorize.srf, which is immediately followed by a POST request to https://login.live.com/ppsecure/post.srf. If you look at the response to that POST request, you'll see a substring called access_token in the Location field, and that is your RpsTicket.

I'm not seeing RpsHeader in any of my requests, so I don't know about that.

Butane answered 31/10, 2014 at 4:48 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.