Share via

"401 Unauthorized" daemon app, despite bearer token

James Edington 116 Reputation points
2021-01-11T22:16:43.493+00:00

I'm writing a daemon-style app [i.e. it does not act on behalf of or in connection with any particular user] that requires access to the profile.xboxlive.com API.

Due to platform restrictions, I cannot use MSAL per se; the application must simply wrangle the HTTP requests and responses itself..

https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-daemon-acquire-token#first-case-access-the-token-request-by-using-a-shared-secret

I can acquired a token per the above, with scope=https%3A%2F%2Fgraph.microsoft.com%2F.default: 

curl -sv "https://login.microsoftonline.com/${tenant_id}/oauth2/v2.0/token" -d "grant_type=client_credentials&scope=https://graph.microsoft.com/.default&client_id=${client_id}&client_secret=${client_secret}"

The above does yield a Bearer token.

However, this token does not work on any of profile.xboxlive.com's endpoints, even nonprivileged ones: 

$ curl -sv 'https://profile.xboxlive.com/users/gt(squeegily)/profile/settings' -H "Authorization: Bearer ${token}"  
*   Trying 20.44.86.88:443...  
* Connected to profile.xboxlive.com (20.44.86.88) port 443 (#0)  
* ALPN, offering h2  
* ALPN, offering http/1.1  
* successfully set certificate verify locations:  
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt  
  CApath: none  
* TLSv1.3 (OUT), TLS handshake, Client hello (1):  
* TLSv1.3 (IN), TLS handshake, Server hello (2):  
* TLSv1.2 (IN), TLS handshake, Certificate (11):  
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):  
* TLSv1.2 (IN), TLS handshake, Server finished (14):  
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):  
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):  
* TLSv1.2 (OUT), TLS handshake, Finished (20):  
* TLSv1.2 (IN), TLS handshake, Finished (20):  
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256  
* ALPN, server did not agree to a protocol  
* Server certificate:  
*  subject: CN=profile.xboxlive.com  
*  start date: Sep 24 00:52:06 2020 GMT  
*  expire date: Sep 24 00:52:06 2021 GMT  
*  subjectAltName: host "profile.xboxlive.com" matched cert's "profile.xboxlive.com"  
*  issuer: C=US; O=Microsoft Corporation; CN=Microsoft RSA TLS CA 02  
*  SSL certificate verify ok.  
> GET /users/gt(squeegily)/profile/settings HTTP/1.1  
> Host: profile.xboxlive.com  
> User-Agent: curl/7.69.1  
> Accept: */*  
> Authorization: Bearer [omitted]  
>   
* Mark bundle as not supporting multiuse  
< HTTP/1.1 401 Unauthorized  
< Cache-Control: no-cache, no-store  
< Content-Length: 0  
< X-Content-Type-Options: nosniff  
< MS-CV: 9FsW5GEDbE2jQAqnqfdZ8Q.0  
< Date: Mon, 11 Jan 2021 22:10:38 GMT  
<   
* Connection #0 to host profile.xboxlive.com left intact

Further, I cannot find the correct scope for this API. I have tried Xboxlive.offline_access, Xboxlive.default, and https://profile.xboxlive.com/.default.

What do I need to do to give a daemon application [which does not act on behalf or in conjunction with any particular user] access to that endpoint?

Thank you.

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
42,168 questions
0 comments
Accepted answer
  1. James Edington 116 Reputation points
    2021-01-13T01:48:58.233+00:00

    The profile.xboxlive.com REST API requires a so "XToken". Once you know these exist, it's relatively easy to find the documentation on them, but the magic word to search, "XSTS", is not well-referenced in the rest of the documentation.

    https://learn.microsoft.com/en-us/gaming/xbox-live/api-ref/xbox-live-rest/additional/edsauthorization

    However,, to get an Xtoken from https://xsts.auth.xboxlive.com/xsts/authorize requires a Token from https://user.auth.xboxlive.com/user/authenticate. To the best of my knowledge, this Token can only be got after any (but at least one) Xbox Live User grants the Xboxlive.signin and Xboxlive.offline_access scopes to you.

    The details of it all are quite arcane and poorly-documented, but the following file can be reverse-engineered to get it all at once:

    https://github.com/OpenXbox/xbox-webapi-python/blob/v2.0.10/xbox/webapi/authentication/manager.py

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 36,811 Reputation points Microsoft Employee
    2021-01-13T00:10:44.15+00:00

    @James Edington
    Thank you for your detailed post! Based off the documentation that you provided to acquire a token for a Daemon app, this is used for AzureAD via the Microsoft identity platform and the OAuth 2.0 client credentials flow, therefore Xbox Live API permissions aren't supported within AzureAD app registrations.

    If you're looking to troubleshoot/use the Xbox Live API, I'd recommend reaching out to Xbox Live community. Additionally, you can reference our Xbox Live documentation for more info on Identity and authentication using the Xbox Authentication Library.

    For more information:
    Xbox Live API Home Page

    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.