Skip to content

Authentication

Jump to bottom Edit New page
dequis edited this page Mar 12, 2015 · 28 revisions

There's lots of ways to authenticate.

Microsoft accounts

Microsoft accounts are the ones that look like email addresses, previously known as "passport", and have many similarities with previous MSN login methods.

Webclient style, with a browser widget

Open a browser to

https://login.live.com/oauth20_authorize.srf?client_id=00000000480BC46C&scope=service::skype.com::MBI_SSL&response_type=token&redirect_uri=https://login.live.com/oauth20_desktop.srf

Allow the user to log in as normal. When they're done, the browser will be redirected to https://login.live.com/oauth20_desktop.srf with an enormous fragment. The fragment might be useful, but what the webclient requires is the three cookies MSPAuth, MSPProf, WLSSC.

This is the method that the skype clients use for microsoft account - note that this client ID is the only one with access to the service::skype.com::MBI_SSL scope (as far as we know), previously created oauth2 clients ids (such as those needed for the now-defunct MSN XMPP gateway) won't work here.

Similarly, the redirect_uri parameter can't be changed to something more useful, returning this error in the fragment:

The provided value for the input parameter redirect_uri is not valid. The expected value is https://login.live.com/oauth20_desktop.srf or a URL which matches the redirect URI registered for this client application.

See also:

Webclient, without a browser

Request the same URL as the previous section. Keep the MSPOK cookie.

Buried in the Javascript is a HTML <input> element, with name="PPFT". Keep the value attribute of this element.

Using the same query string as the first request, POST to https://login.live.com/ppsecure/post.srf, with the MSPOK cookie and a body consisting of url-encoded parameters:

Parameter Notes
PPFT The PPFT value you got from the first request
login Microsoft account name
password Password for that account

If all goes well, you are redirected to the same place as the previous section. If not, look for sErrTxt: followed by a Javascript string, the string including an error message.

Webclient, authenticating with HTTPS method and web-compact-ticket

When sending HTTPS requests to the gateway, include the X-MSN-Auth: Use-Cookie header and the MSPAuth, MSPProf, WLSSC cookies from above

Then, when sending the ATH command, use <user><web-compact-ticket /></user> as the whole payload.

ATH 2 CON\USER 37

<user><web-compact-ticket /></user>

The outlook.com web client seems to request a UIC too from https://skypewebexperience.live.com/v1/User/Initialization (with cookies + the trouterurl and connectionid POST parameters). If requested correctly, the UIC is in the MappingContainer field of the json response. This might be important at some point. For now it seems to be enough to just skip it.

Good old MSNP15-style SOAP requests and ssl-compact-ticket

Useful for clients that are migrating from earlier protocol, versions, the same SOAP request explained here still works: http://msnpiki.msnfanatic.com/index.php/MSNP15:SSO ("Computing the return value" is irrelevant, however)

Use the following parameters:

  • POST to https://login.live.com/RST.srf
  • Domain: chatservice.live.com (for <wsa:Address> below)
  • Policy Ref URI: MBI_SSL (for <wsse:PolicyReference URI="MBI_SSL"> below)
  • Set the user's username and password in <wsse:Username> and <wsse:Password>.

Here's a SOAP payload to request only this token:

<Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/"
   xmlns:wsse="http://schemas.xmlsoap.org/ws/2003/06/secext"
   xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
   xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing"
   xmlns:wst="http://schemas.xmlsoap.org/ws/2004/04/trust"
   xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL">
   <Header>
       <wsse:Security>
           <wsse:UsernameToken Id="user">
               <wsse:Username>username@hotmail.com</wsse:Username>
               <wsse:Password>password-here</wsse:Password>
           </wsse:UsernameToken>
       </wsse:Security>
   </Header>
   <Body>
       <ps:RequestMultipleSecurityTokens Id="RSTS">
           <wst:RequestSecurityToken Id="RST0">
               <wst:RequestType>http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue</wst:RequestType>
               <wsp:AppliesTo>
                   <wsa:EndpointReference>
                       <wsa:Address>chatservice.live.com</wsa:Address>
                   </wsa:EndpointReference>
               </wsp:AppliesTo>
               <wsse:PolicyReference URI="MBI_SSL"></wsse:PolicyReference>
           </wst:RequestSecurityToken>
       </ps:RequestMultipleSecurityTokens>
   </Body>
</Envelope>

You might want to add more entries to RequestMultipleSecurityTokens to access other sites, such as soap contact lists. That's explained in MSNPiki. TODO: move that over here.

Once you get that reply, the interesting part is here:

[snip]
<wst:RequestedSecurityToken>
    <wsse:BinarySecurityToken Id="Compact0">t=.............very long base64 string here...............&amp;p=</wsse:BinarySecurityToken>
</wst:RequestedSecurityToken>

Id="Compact0" corresponds to Id="RST0"

And just copy that ticket inside <ssl-compact-ticket> as follows

ATH 2 CON\USER 110

<user><ssl-compact-ticket>t=.............very long base64 string here...............</ssl-compact-ticket><ssl-site-name>chatservice.live.com</ssl-site-name></user>

That's all!

Add a custom footer
Add a custom sidebar

Clone this wiki locally