xbox-webapi-csharp icon indicating copy to clipboard operation
xbox-webapi-csharp copied to clipboard

Published 20 hours ago verified publisher icon OpenXbox

403 for Session Directory URIs

Open arnerak opened this issue 5 years ago • 3 comments

Hey there,

I'm trying to query session directory URIs. However I'm getting 403 Forbidden when using the XToken that the webapi is using for the other services.

When I copied the Authorization Header that Windows 10's GameBar app uses for RESTApi calls it gave me working results. For reference, e.g. GET https://sessiondirectory.xboxlive.com/serviceconfigs/00000000-0000-0000-0000-000066591171/sessiontemplates should give us {"results":["ServerLargeSession", "LargeShipSessionTemplate", "SmallShipSessionTemplate", "MediumShipSessionTemplate", "LobbySession"]}

GameBar's Authorization Header has the same XBL3.0 x=<hash>;<token> format, however both hash and token differ from xbox-webapi-csharp Authorization header, despite using the same Live account. Do you know where this hash and token info comes from?

Thanks!

arnerak avatar Sep 11 '20 18:09 arnerak

Hey,

I dunno exactly which scopes the XToken of GameBar has, but its definetly entitled differently.

So it could be 2 things:

  • Different scope for the token
  • XToken could have be authorized with Title/Device/ServiceToken

You could try SSL decryption of Fiddler https://www.telerik.com/download/fiddler

tuxuser avatar Sep 11 '20 19:09 tuxuser

Thanks for your reply! I'm not completely sure, but I think the session directory API is only accessible with XTokens authorized by Service tokens. Bummer!

My goal is to get the current session handle of a befriended xuid. If somebody knows an alternative besides sessiondirectory.xboxlive.com and multiplayeractivity.xboxlive.com, or a way to use them with a User token, I would be glad to hear it! Thanks

arnerak avatar Sep 12 '20 00:09 arnerak

did u fix this?

geosage avatar Aug 23 '23 15:08 geosage