Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

@xboxreplay/xboxlive-auth - Upcoming 4.0.0 release

See original GitHub issue

Hey there, first of all, thanks for using @xboxreplay/xboxlive-auth library.

In the upcoming days, a new major version will be released which includes a few of breaking changes and new features / workarounds such as “deviceToken” generation, “Child” / “Teen” account detections, Electron usage, etc.

Please refer to the available documentation right here: https://github.com/XboxReplay/xboxlive-auth/tree/4.0.0/docs

Thank you!

Update: The 4.0.0-beta.0 is available on npm - https://www.npmjs.com/package/@xboxreplay/xboxlive-auth/v/4.0.0-beta.0

Issue Analytics

State:
Created 3 years ago
Comments:5 (3 by maintainers)

Top GitHub Comments

1reaction

extremeheatcommented, Jan 16, 2021

Yes, right now in #806 we have msa device code based authentication. The server sends us a code, url, and a message for the user. We send that message back to the user to have them follow the instructions sent by the server, then the ms auth library (msal) constantly polls to check the status of the authentication. If it’s successful, the promise resolves and we continue with the auth flow onto the Xbox step with your library to get the final XSTS data, onto the Minecraft step. We store the tokens so this step doesn’t have to be repeated. Sending username and password works some of the time without user interaction, but not all the time, and would be a maintenance chore every time Microsoft changes something with their auth page and it’s hard to debug other people’s issues if we can’t reproduce. So we need to have an alternative.

Regarding adding the new auth flow in your library:

As this is also a library, usually used in headless environments, there’s a lot of different environments we have to account for. Bundling electron is not a good idea for the library, it would add 100 MB+ to the package size and would only work if the users are in a GUI environment.

So for the library side to support the auth_code flow, we’d need to start a server, or delegate the auth step to the user. We do have a example using the library in an electron app, this is where I think the authorization_code flow would be helpful: we can get the live url the user needs to go to, send it to the user in a callback, user code starts up a electron window with the login page and sends the the relevant data back like in your example so we can continue the auth flow. (Currently with device_code auth we just alert the user the code and wait for them deal with it.)

It’s a bit complicated to explain, but it comes down to:

email and password based auth - (no GUI, sometimes user interaction) xboxlive library handles
device code auth - (no GUI, requires user interaction) msal library handles, we give user code, we wait for user complete the auth there
authorization code - (new, requires GUI, requires user interaction) xboxlive library gives us a url, nmp sends it back to the user in a callback, have them send us back the access/refresh token

I’ll look at updating the #806 PR to use 4.0 soon, but can you answer the questions in my comment above ? Thanks

1reaction

Alexis-Bizecommented, Jan 16, 2021

Remote / cloud servers constraints

Those constraints are difficult to bypass. Perhaps there’s a possible workaround where the user do not set its credentials (email / password) but the returned live tokens instead. As 2FA can be an issue during the initial authentication, maybe you should use an Electron application (see example) for this part.

The user authenticate itself via the login.live.com (see live.getAuthorizeUrl) prompt (Electron).
The application catch returned access_token / refresh_token / etc.
The application display them to the user.
The user use them inside your library.
The library must handle the refresh part (see live.refreshAcessToken)

import { xbl, live } from '@xboxreplay/xboxlive-auth';

// Specified by the user itself / returned by the application
let rpsTicket = 'USER_RPS_TICKET';
let refreshToken = 'USER_REFRESH_TOKEN';

const XBLAuthenticate = async (retry = false) => {
	const exchange = await xbl
		.exchangeRpsTicketForUserToken(rpsTicket, 't') // Use "d" for custom Azure applications
		.catch(err => {
			if (retry === true || err.details.statusCode !== 401) {
				throw new Error('Authentication has failed');
			}

			// Current "RpsTicket" has expired
			return live
				.refreshAccessToken(refreshToken) // Specify "clientId", "scope", etc. for custom Azure applications
				.then(refreshTokenResponse => {
					rpsTicket = refreshTokenResponse.access_token;
					refreshToken = refreshTokenResponse.refresh_token;
					return XBLAuthenticate(true);
				});
		});

	const {
		Token: deviceToken
	} = await xbl.EXPERIMENTAL_createDummyWin32DeviceToken();

	const XSTSTokenResponse = await xbl.exchangeTokensForXSTSToken({
		XSTSRelyingParty: 'rp://api.minecraftservices.com/',
		userTokens: [exchange.Token],
		deviceToken // Used to bypass "Child" and "Teen" accounts restriction
	});

	return XSTSTokenResponse;
};