NintendoSwitchRESTAPI icon indicating copy to clipboard operation
NintendoSwitchRESTAPI copied to clipboard

Published 20 hours ago verified publisher icon ZekeSnider

More info on Authentication

Open freundTech opened this issue 7 years ago • 2 comments

I did a bit of research and while I still don't fully understand how auth works I have some additional information. I'm creating an issue instead of a PR, as this isn't finished yet.

URL: https://accounts.nintendo.com/connect/1.0.0/authorize Method: GET Parameters:

  • state:
    • Length: 51 characters
    • Format: [a-zA-Z]. Not base64.
    • Generation: Unknown. New content every time the login button is clicked. Even if user didn't log in after previous login button click. Probably random
    • Optional: No
    • Can be changed: Yes. Site loads content if changed and even if parameter is present but empty
    • Use: Influences session_token and is returned as state.
  • redirect_uri:
    • Format: Android App URI / iOS App URI
    • Generation: static
    • Value: npf71b963c1b7b6d119://auth (Nintendo Switch Online) npf54789befb391a838://auth (Nintendo Switch Parental Controls)
    • Optional: No
    • Can be changed: Unknown. Site reports 400 Bad Request when changing content. Probably a whitelist (TODO: Find other valid URIs).
    • Use: Site to be redirected to after successful login.
  • client_id:
    • Length: 17
    • Format: hex
    • Generation: static
    • Value: 71b963c1b7b6d119 (Nintendo Switch Online) 54789befb391a838 (Nintendo Switch Parental Controls)
    • Optional: No
    • Can be changed: Unknown. Site reports 403 Forbidden when changing content. Probably a whitelist (TODO: Find other valid IDs).
    • Use: Client ID
  • scope:
    • Format: Space (encoded as %20) separated list
    • Generation: static
    • Value: openid user user.birthday user.mii user.screenName (Nintendo Switch Online) openid user user.mii moonUser:administration moonDevice:create moonOwnedDevice:administration moonParentalControlSetting moonParentalControlSetting:update moonParentalControlSettingState moonPairingState moonSmartDevice:administration moonDailySummary moonMonthlySummary (Nintendo Switch Parental Controls)
    • Optional: No
    • Can be changed: Yes. Requesting less permissions is possible. List can't be empty. More might be possible if valid values are known.
    • Use: List of information the app wants to access
  • response_type:
    • Format: String
    • Generation: static
    • Value: session_token_code
    • Optional: No
    • Can be changed: Unknown. Site reports 400 Bad Request when changing content. Probably a whitelist (TODO: Find other valid Return Types).
    • Use: What to return for authentication
  • session_token_code_challenge:
    • Format: base64url
    • Length: 32 bytes
    • Generation: Random
    • Optional: No
    • Can be changed: Yes, as long as lenght is preserved
    • Use: Proof for key code exchange (See https://tools.ietf.org/html/rfc7636#appendix-B)
  • session_token_code_challenge_method:
    • Format: String
    • Generation: static
    • Value: S256
    • Optional: No
    • Can be changed: Unknown. Site reports 400 Bad Request when changing content. Probably a whitelist (TODO: Find other valid challenge methods).
    • Use: Method to use for proof for key code exchange (See https://tools.ietf.org/html/rfc7636#appendix-B)
  • theme:
    • Format: String
    • Generation: static
    • Value: login_form
    • Optional: Yes
    • Can be changed: Unknown. Site reports 400 Bad Request when changing content. Probably a whitelist (TODO: Find other valid themes).
    • Use: Site theme

Response: HTML Site

Redirects to new URI after successful login: URI: redirect_uri parameter Parameters:

  • session_state:
    • Format: hex
    • Length: 65 bytes
    • Generation: static or user dependent. Has to be tested
    • Value: Not sure if this can be public
    • Use: Unknown. Maybe local use only
  • session_token_code:
    • Format: JSON web token (3 parts separated by dots. Signature algorithm, content and signature. All as base64url)
    • Generation: 1st part static, rest serverside
    • Value: 1st part {"alg":"HS256"}
    • Use: Key for future authentication
  • state:
    • Same as state parameter in request

TL;DR: We can't use the AUTH api, as redirect_uri seems to be using a whitelist. We don't know how state is generated, but it probably doesn't matter (I haven't tested making requests with a random state yet, but the login works)

EDIT: I don't know a lot about web Authentication, but I would guess that it uses OAuth 2.0, in which case the state would be random.

EDIT2: Added some values from the Switch Parental Control app

freundTech avatar Aug 16 '17 14:08 freundTech

This is great, thanks for posting! I'll add if I can find anything more about the authentication endpoints.

ZekeSnider avatar Aug 18 '17 00:08 ZekeSnider

the app follows rfc7637

hymm avatar Aug 30 '17 22:08 hymm