-
Notifications
You must be signed in to change notification settings - Fork 5
Authentication
There's lots of ways to authenticate.
Microsoft accounts are the ones that look like email addresses, previously known as "passport", and have many similarities with previous MSN login methods.
Open a browser to
https://login.live.com/oauth20_authorize.srf?client_id=00000000480BC46C&scope=service::skype.com::MBI_SSL&response_type=token&redirect_uri=https://login.live.com/oauth20_desktop.srf
Allow the user to log in as normal. When they're done, the browser will be redirected to https://login.live.com/oauth20_desktop.srf with an enormous fragment. The fragment might be useful, but what the webclient requires is the three cookies MSPAuth, MSPProf, WLSSC.
This is the method that the skype clients use for microsoft account - note that this client ID is the only one with access to the service::skype.com::MBI_SSL scope (as far as we know), previously created oauth2 clients ids (such as those needed for the now-defunct MSN XMPP gateway) won't work here.
Similarly, the redirect_uri parameter can't be changed to something more useful, returning this error in the fragment:
The provided value for the input parameter
redirect_uriis not valid. The expected value ishttps://login.live.com/oauth20_desktop.srfor a URL which matches the redirect URI registered for this client application.
See also:
Request the same URL as the previous section. Keep the MSPOK cookie.
Buried in the Javascript is a HTML <input> element, with name="PPFT". Keep the value attribute of this element.
Using the same query string as the first request, POST to https://login.live.com/ppsecure/post.srf, with the MSPOK cookie and a body consisting of url-encoded parameters:
| Parameter | Notes |
|---|---|
| PPFT | The PPFT value you got from the first request |
| login | Microsoft account name |
| password | Password for that account |
If all goes well, you are redirected to the same place as the previous section. If not, look for sErrTxt: followed by a Javascript string, the string including an error message.
When sending HTTPS requests to the gateway, include the X-MSN-Auth: Use-Cookie header and the MSPAuth, MSPProf, WLSSC cookies from above
Then, when sending the ATH command, use <user><web-compact-ticket /></user> as the whole payload.
ATH 2 CON\USER 37
<user><web-compact-ticket /></user>
The outlook.com web client seems to request a UIC too from https://skypewebexperience.live.com/v1/User/Initialization (with cookies + the trouterurl and connectionid POST parameters). If requested correctly, the UIC is in the MappingContainer field of the json response. This might be important at some point. For now it seems to be enough to just skip it.