why is this whole thing only working with client-id 0000000048093EE3 ??

[michabbb]

hi there, i cannot remember how long i am trying to make oauth working with my own app/clientid.
i always get to the point where i get the access and refresh token, but then.....

but instead of using the login url of this package:

https://login.live.com/oauth20_authorize.srf?display=touch&scope=service%3A%3Auser.auth.xboxlive.com%3A%3AMBI_SSL&redirect_uri=https%3A%2F%2Flogin.live.com%2Foauth20_desktop.srf&locale=en&response_type=token&client_id=0000000048093EE3

i always used this url:

https://login.live.com/oauth20_authorize.srf?client_id=000000004C2353AB&response_type=token&scope=Xboxlive.signin+Xboxlive.offline_access&redirect_uri=https://github.com/michabbb

with that code i do my

https://user.auth.xboxlive.com/user/authenticate

{
  "RelyingParty": "http://auth.xboxlive.com",
  "TokenType": "JWT",
  "Properties": {
    "AuthMethod": "RPS",
    "SiteName": "user.auth.xboxlive.com",
    "RpsTicket": "<accesstoken>"
  }
}

and there i always get a 400 Bad Request error.

i don't understand the setup behind the working client-id 0000000048093EE3 and my own app.

if someone could help me here, that would be awesome, because this bothers me since years now
and nobody was able or willing to help, as this seems to be the holy grail when it comes to working with the xbox live api.

🙏 🙏

[tuxuser]

Believe it or not, its expected behaviour!

You can only do UToken / XToken authentication with that specific client id, aka. Client == XboxLiveService.

All custom clients just rely on access_token / refresh_token for a specific client_id - You would use them to authenticate to your client, which in return sets f.e. a cookie.

To sum it up code-wise

manager = AuthenticationManager()
manager.email = "no@example.org"
manager.password = "12345678"

try:
    manager.authenticate()
except AuthenticationException as e:
    print('Email/Password authentication failed! Err: %s' % e)
    sys.exit(-1)

print('We got your windows live account cookies stored now')
print('Lets auth with the custom client_id/service')

custom_app_auth_url = 'https://login.live.com/oauth20_authorize.srf?client_id=000000004C2353AB&response_type=token&scope=Xboxlive.signin+Xboxlive.offline_access&redirect_uri=https://azure.myClientApp.com/xbl_related_app'

response = manager.authenticate_with_service('custom_app_auth_url')

print('Now check response.headers, response.cookies or response.body for the authorization data that the client app set')

If you like, join the discord chat server and provide a more real-world example - your redirect uri: https://github.com/michabbb did not make much sense.

[michabbb]

@tuxuser thanks a lot for you feedback !!! how can i contact you via discord, what´s your username ? mine is "michabbb" 😏

[tuxuser]

For this type of authentication, scope 'Xboxlive.signin Xboxlive.offline_access', a whitelisted client ID / webapp is required.
You have to register for ID@Xbox program to make use of it.

[michabbb]

i never had proof of that, but that´s what i was thinking of. thank you so much for your efforts!

[Mastok1979]

@tuxuser can you maybe help me how to register such an app in partner center for creator program?
i turn around for long time now!

[michabbb]

@Mastok1979 good luck with tha. i tried this for years and never got feedback for my application. i really believe you need a personal connection to MS to get access that only real publishers get. mr "xboapi.com" recently created something new, maybe that helps: https://xboxauth.dev/

[purbopanambang]

Hi @tuxuser, I'm facing the same issue as @michabbb, always got 400 when I tried to request to retrieve XSTS token at this API
https://user.auth.xboxlive.com/user/authenticate
So is it not possible to get XSTS token with client-ID from my own app? Is there any other way to get XSTS with my own app?
Thanks

[Ladvace]

I have the same problem (unfortunally i work with js and not with python, but I think in this case doesn't matter the language) did you solve it?

[tuxuser]

@Ladvace
https://gist.github.com/tuxuser/8b7cc153cdecd0a9c3f2694850fa90bd

[Ladvace]

@Ladvace
https://gist.github.com/tuxuser/8b7cc153cdecd0a9c3f2694850fa90bd

thanks, I'm going to try

[Ladvace]

for some reason I still get Error 400 bad request, I don't understand if I'm entering a wrong token or whatever.
Why in the access tone you add d= as here RpsTicket": "d=" + access_token,