python-bna icon indicating copy to clipboard operation
python-bna copied to clipboard

Published 20 hours ago verified publisher icon jleclanche

## Here is another way wThank you, I have successfully obtained the device secret following your tutorial.ithout having to use the Battle.net App

Open ningmeng52022 opened this issue 1 year ago • 10 comments 

          ## Here is another way without having to use the Battle.net App

1. Retrieve SSO Token:

  • Go to https://account.battle.net/login/en/?ref=localhost. After logging in, ignore the 404 Error, but copy the token following ST= from the URL.
    • Example: EU-84902f44j57m687039586j7egdfa0a54-1165739690

2. Get Bearer Token:

  • Replace <SSO_TOKEN> with the token you got from step 1 and execute the following curl command to obtain the Bearer Token:

    curl -X 'POST' \
'https://oauth.battle.net/oauth/sso' \
-H "content-type: application/x-www-form-urlencoded; charset=utf-8" \
-d "client_id=baedda12fe054e4abdfc3ad7bdea970a&grant_type=client_sso&scope=auth.authenticator&token=<SSO_TOKEN>"
    • Response: 
      {"access_token":"XXX","token_type":"bearer","expires_in":0,"scope":"auth.authenticator","sub":"XXX"}

  • Copy the Bearer Token to use in steps 3, 4. or 5.

3. Get Serial & Restore Codes:

  • Use the Bearer Token to fetch the Serial and Restore Codes of an existing authenticator:

    curl -X 'GET' \
'https://authenticator-rest-api.bnet-identity.blizzard.net/v1/authenticator' \
-H 'accept: application/json' \
-H "Authorization: Bearer <BEARER_TOKEN>"
    • Response: 
      {"Restore Code": "XXX", "Serial Number": "XXX"}

4. Get Existing Authenticator Device Secret:

  • Use the Bearer Token, Serial, and Restore codes to retrieve the Device Secret of an Existing Authenticator:

    curl -X 'POST' \
'https://authenticator-rest-api.bnet-identity.blizzard.net/v1/authenticator/device' \
-H 'accept: application/json' \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer <BEARER_TOKEN>" \
-d '{
  "restoreCode": "<RESTORE_CODE>",
  "serial": "<SERIAL>"
}'
    • Response: 
      {"serial":"XXX","restoreCode":"XXX","deviceSecret":"XXX","timeMs":0,"requireHealup":false}

5. Create and Add a New Authenticator:

  • Use the Bearer Token to create and add a new authenticator to the users account :

    curl -X 'POST' \
'https://authenticator-rest-api.bnet-identity.blizzard.net/v1/authenticator' \
-H 'accept: application/json' \
-H "Authorization: Bearer <BEARER_TOKEN>" \
-d ''
    • Response: 
      {"serial":"XXX","restoreCode":"XXX","deviceSecret":"XXX","timeMs":0,"requireHealup":false}

6. Add Authenticator to Password Manager.

  • After you have obtianed the deviceSecret convert it from hex to base32 using echo "deviceSecret" | xxd -r -p | base32 on Linux/macOS or cryptii.com if on Windows

  • Replace deviceSecret in the following URL: otpauth://totp/Battle.net?secret=deviceSecret&digits=8 with the newly obtained base32 device secret, and you should have a working TOTP.

Originally posted by @BillyCurtis in https://github.com/jleclanche/python-bna/issues/38#issuecomment-1902482544

ningmeng52022 avatar Feb 26 '24 15:02 ningmeng52022

I just went through this, migrating to a new TOTP app (Byebye Authy, no thanks for terminating your Desktop app...)

A couple notes to help simplify:

  1. If you already have an authenticator, you will do steps 3 and 4 (NOT 5) - you will request the secrets for your existing Authenticator into your TOTP app.
  2. If you do NOT have an authenticator already attached, you will do step 5 (not 3 and 4), and create a new one. NOT both (If you try step 5 and already have an authenticator, you'll get an error that one is already attached - you can't attach a new one).

Also, for the HEX-> Base32 conversion, If you are on MacOS, they don't include base32 by default (you can install with brew, "brew install coreutils"). However, I'd just use Cyberchef (it's simpler than cryptii, doesnt' store data, and works on any platform.)

You can use this link: https://gchq.github.io/CyberChef/#recipe=From_Hex('Auto')To_Base32('A-Z2-7%3D')

stacksjb avatar Mar 01 '24 19:03 stacksjb

I appreciate this a lot. I used this method to setup battle net with 1Password.

sbates avatar Mar 14 '24 15:03 sbates

Thanks a lot.

Worked perfectly to create a new token.

You could write that you can go to step 5 (skip 3 and 4) if you don’t have one already.

Mazwak avatar Apr 30 '24 13:04 Mazwak

works fine with gauth, just pass it via qr code

Foxtrod89 avatar May 30 '24 03:05 Foxtrod89

First step wasn't working in Firefox but it worked when I switched to Chromium. Thank you.

PoisonFrog avatar Jun 13 '24 00:06 PoisonFrog

Thanks @stacksjb, this method works.

n3ih7 avatar Jun 16 '24 03:06 n3ih7

Followed this guide and eventually got it working. I found I always got an error using the built-in macos curl. Installed curl using homebrew and setup the PATH to use brew curl.

I did this for kpxc and just needed to select Custom Settings in the Setup TOTP then paste in the deviceSecret

christopherthake avatar Jul 07 '24 00:07 christopherthake

Why don't I get a 404 error after the first step, but instead I'm asked to enter a validator numbe 微信截图_20240715190005

IceSoulZ avatar Jul 15 '24 11:07 IceSoulZ

Why don't I get a 404 error after the first step, but instead I'm asked to enter a validator numbe 微信截图_20240715190005

It’s because you already have an authenticator setup. if you enter the code does it then take you to the 404 page?

BillyCurtis avatar Jul 15 '24 12:07 BillyCurtis