-
Notifications
You must be signed in to change notification settings - Fork 5
Authentication
There's lots of ways to authenticate.
Microsoft accounts are the ones that look like email addresses, previously known as "passport", and have many similarities with previous MSN login methods.
This method works for HTTPS longpolling connections, using http headers and cookies, and is the outlook.com web client uses.
This is based on the method that the skype clients use for microsoft account, but just getting the resulting cookies.
Open a browser to
https://login.live.com/oauth20_authorize.srf?client_id=00000000480BC46C&scope=service::skype.com::MBI_SSL&response_type=token&redirect_uri=https://login.live.com/oauth20_desktop.srf
Allow the user to log in as normal. When they're done, the browser will be redirected to https://login.live.com/oauth20_desktop.srf with an enormous fragment. The fragment might be useful, but what the webclient requires is the three cookies MSPAuth, MSPProf, WLSSC.
note that this client ID is the only one with access to the service::skype.com::MBI_SSL scope (as far as we know), previously created oauth2 clients ids (such as those needed for the now-defunct MSN XMPP gateway) won't work here.
Similarly, the redirect_uri parameter can't be changed to something more useful, returning this error in the fragment:
The provided value for the input parameter
redirect_uriis not valid. The expected value ishttps://login.live.com/oauth20_desktop.srfor a URL which matches the redirect URI registered for this client application.
See also:
Request the same URL as the previous section. Keep the MSPOK cookie.
Buried in the Javascript is a HTML <input> element, with name="PPFT". Keep the value attribute of this element.
Using the same query string as the first request, POST to https://login.live.com/ppsecure/post.srf, with the MSPOK cookie and a body consisting of url-encoded parameters:
| Parameter | Notes |
|---|---|
| PPFT | The PPFT value you got from the first request |
| login | Microsoft account name |
| password | Password for that account |
If all goes well, you are redirected to the same place as the previous section. If not, look for sErrTxt: followed by a Javascript string, the string including an error message.
When sending HTTPS requests to the gateway, include the X-MSN-Auth: Use-Cookie header and the MSPAuth, MSPProf, WLSSC cookies from above
Then, when sending the ATH command, use <user><web-compact-ticket /></user> as the whole payload.
ATH 2 CON\USER 37
<user><web-compact-ticket /></user>
The outlook.com web client seems to request a UIC too from https://skypewebexperience.live.com/v1/User/Initialization (with cookies + the trouterurl and connectionid POST parameters). If requested correctly, the UIC is in the MappingContainer field of the json response. This is useful if you want to do a login without Skylogin library.
The Location: HTTP-Header field in the 302 redirect from post.srf above contains a redirect-URL of oauth20_desktop.srf which contains an access_token and a refresh_token which you should extract (note that it's URLencoded, of course!):
Location: https://login.live.com/oauth20_desktop.srf?lc=1031#access_token=....very long base64 string here....&token_type=bearer&expires_in=86400&scope=service::skype.com::MBI_SSL&refresh_token=....another base64 string....&state=999&user_id=...some hex int64...
There is also expires_in parameter in seconds that specifies the number of seconds from now on when the acquired token expires. Currently this is always 1 day.
Using the refresh_token, POST to https://login.live.com/oauth20_token.srf with parameters
client_id=00000000480BC46C&scope={requested scope}&grant_type=refresh_token&refresh_token={refresh_token} as described in the OAuth docs by Microsoft. The requested scope can be one of the following:
| Scope | Description |
|---|---|
| service::login.skype.com::MBI_SSL | Required for Login on real Skype Login-Server using i.e. skylogin. This is the way Skype does it. |
| service::ssl.live.com::MBI_SSL | To be used as <ssl-compact-ticket> on ATH CON\USER |
| service::contacts.msn.com::MBI_SSL | Used for Contact list handling already known from MSNP18 |
| service::m.hotmail.com::MBI_SSL | ActiveSync contactlist auth token, if you want (and can) use it. |
Just fetch the service::ssl.live.com::MBI_SSL token via the method mentioned above.
This method is not recommended, as it doesn't generate the necessary , but as it still generates a valid ssl-compact-ticket, it is documented here just for the sake of completeness. Useful for clients that are migrating from earlier protocol versions, the same SOAP request explained here still works: http://msnpiki.msnfanatic.com/index.php/MSNP15:SSO ("Computing the return value" is irrelevant, however)
Use the following parameters:
- POST to https://login.live.com/RST.srf
- Domain:
chatservice.live.com(for<wsa:Address>below) - Policy Ref URI:
MBI_SSL(for<wsse:PolicyReference URI="MBI_SSL">below) - Set the user's username and password in
<wsse:Username>and<wsse:Password>.
Here's a SOAP payload to request only this token:
<Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:wsse="http://schemas.xmlsoap.org/ws/2003/06/secext"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing"
xmlns:wst="http://schemas.xmlsoap.org/ws/2004/04/trust"
xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL">
<Header>
<wsse:Security>
<wsse:UsernameToken Id="user">
<wsse:Username>username@hotmail.com</wsse:Username>
<wsse:Password>password-here</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</Header>
<Body>
<ps:RequestMultipleSecurityTokens Id="RSTS">
<wst:RequestSecurityToken Id="RST0">
<wst:RequestType>http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue</wst:RequestType>
<wsp:AppliesTo>
<wsa:EndpointReference>
<wsa:Address>chatservice.live.com</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wsse:PolicyReference URI="MBI_SSL"></wsse:PolicyReference>
</wst:RequestSecurityToken>
</ps:RequestMultipleSecurityTokens>
</Body>
</Envelope>You might want to add more entries to RequestMultipleSecurityTokens to access other sites, such as soap contact lists. That's explained in MSNPiki. TODO: move that over here.
Once you get that reply, the interesting part is here:
[snip]
<wst:RequestedSecurityToken>
<wsse:BinarySecurityToken Id="Compact0">t=.............very long base64 string here...............&p=</wsse:BinarySecurityToken>
</wst:RequestedSecurityToken>Id="Compact0" corresponds to Id="RST0"
And just copy that ticket inside <ssl-compact-ticket> as follows
ATH 2 CON\USER 110
<user><ssl-compact-ticket>t=.............very long base64 string here...............</ssl-compact-ticket><ssl-site-name>chatservice.live.com</ssl-site-name></user>
The UIC is required to successfully logon. For MSN-Users, this is acquired from the Skype Login servers, so you can use the skylogin library. First, fetch a service::login.skype.com::MBI_SSL token via the method mentioned above. Call SkyLogin_PerformLoginOAuth() with that token as a parameter. Then call SkyLogin_GetCredentialsUIC() with an output buffer of 1024 bytes to fill in UIC.
If it was successful, do login with:
ATH 2 CON\USER 110
<user><ssl-compact-ticket>t={service::ssl.live.com::MBI_SSL token}</ssl-compact-ticket><uic>{UIC acquired from Skylogin}</uic><id>{Your MSN username}</id><alias>{Username of Skype Partner account}</alias></user>
If you don't have the username of the Skype Partner account, you can get it from Skylogin with SkyLogin_GetUser().
Logging in with skype usernames requires using a bunch of cryptography to generate the UIC as well.
There's a python implementation of skype username login here: https://github.com/uunicorn/pyskype We wrote our own C implementation that you can use as a library for your client: https://github.com/msndevs/skylogin
The login flow with a Skype username is easer than all the OAuth stuff required for MSN accounts mentioned above. On CNT call, you get a nonce:
CNT 5 CON 126
2false3d97e3ac-4df8-3d88-c35f-e96242d1efcd
User Skylogin SkyLogin_PerformLogin() with username and password to login to Skype server. Then generate the UIC with SkyLogin_CreateUICString() using the given nonce and you get back a UIC if login succeeds. Then just login with that UIC:
ATH 2 CON\USER 110
<user><uic>{your UIC}</uic><id>{Your Skype Username}</id></user>