Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

More info on Authentication #1

Open
freundTech opened this issue Aug 16, 2017 · 2 comments
Open

More info on Authentication #1

freundTech opened this issue Aug 16, 2017 · 2 comments

Comments

@freundTech
Copy link

freundTech commented Aug 16, 2017
edited
Loading

I did a bit of research and while I still don't fully understand how auth works I have some additional information. I'm creating an issue instead of a PR, as this isn't finished yet.

URL: https://accounts.nintendo.com/connect/1.0.0/authorize
Method: GET
Parameters:

  • state:
    • Length: 51 characters
    • Format: [a-zA-Z]. Not base64.
    • Generation: Unknown. New content every time the login button is clicked. Even if user didn't log in after previous login button click. Probably random
    • Optional: No
    • Can be changed: Yes. Site loads content if changed and even if parameter is present but empty
    • Use: Influences session_token and is returned as state.
  • redirect_uri:
    • Format: Android App URI / iOS App URI
    • Generation: static
    • Value: npf71b963c1b7b6d119://auth (Nintendo Switch Online)
      npf54789befb391a838://auth (Nintendo Switch Parental Controls)
    • Optional: No
    • Can be changed: Unknown. Site reports 400 Bad Request when changing content. Probably a whitelist (TODO: Find other valid URIs).
    • Use: Site to be redirected to after successful login.
  • client_id:
    • Length: 17
    • Format: hex
    • Generation: static
    • Value: 71b963c1b7b6d119 (Nintendo Switch Online)
      54789befb391a838 (Nintendo Switch Parental Controls)
    • Optional: No
    • Can be changed: Unknown. Site reports 403 Forbidden when changing content. Probably a whitelist (TODO: Find other valid IDs).
    • Use: Client ID
  • scope:
    • Format: Space (encoded as %20) separated list
    • Generation: static
    • Value: openid user user.birthday user.mii user.screenName (Nintendo Switch Online)
      openid user user.mii moonUser:administration moonDevice:create moonOwnedDevice:administration moonParentalControlSetting moonParentalControlSetting:update moonParentalControlSettingState moonPairingState moonSmartDevice:administration moonDailySummary moonMonthlySummary (Nintendo Switch Parental Controls)
    • Optional: No
    • Can be changed: Yes. Requesting less permissions is possible. List can't be empty. More might be possible if valid values are known.
    • Use: List of information the app wants to access
  • response_type:
    • Format: String
    • Generation: static
    • Value: session_token_code
    • Optional: No
    • Can be changed: Unknown. Site reports 400 Bad Request when changing content. Probably a whitelist (TODO: Find other valid Return Types).
    • Use: What to return for authentication
  • session_token_code_challenge:
  • session_token_code_challenge_method:
    • Format: String
    • Generation: static
    • Value: S256
    • Optional: No
    • Can be changed: Unknown. Site reports 400 Bad Request when changing content. Probably a whitelist (TODO: Find other valid challenge methods).
    • Use: Method to use for proof for key code exchange (See https://tools.ietf.org/html/rfc7636#appendix-B)
  • theme:
    • Format: String
    • Generation: static
    • Value: login_form
    • Optional: Yes
    • Can be changed: Unknown. Site reports 400 Bad Request when changing content. Probably a whitelist (TODO: Find other valid themes).
    • Use: Site theme

Response: HTML Site

Redirects to new URI after successful login:
URI: redirect_uri parameter
Parameters:

  • session_state:
    • Format: hex
    • Length: 65 bytes
    • Generation: static or user dependent. Has to be tested
    • Value: Not sure if this can be public
    • Use: Unknown. Maybe local use only
  • session_token_code:
    • Format: JSON web token (3 parts separated by dots. Signature algorithm, content and signature. All as base64url)
    • Generation: 1st part static, rest serverside
    • Value: 1st part {"alg":"HS256"}
    • Use: Key for future authentication
  • state:
    • Same as state parameter in request

TL;DR: We can't use the AUTH api, as redirect_uri seems to be using a whitelist. We don't know how state is generated, but it probably doesn't matter (I haven't tested making requests with a random state yet, but the login works)

EDIT: I don't know a lot about web Authentication, but I would guess that it uses OAuth 2.0, in which case the state would be random.

EDIT2: Added some values from the Switch Parental Control app
@freundTech freundTech changed the title More into on Authentication More info on Authentication Aug 17, 2017
@ZekeSnider
Copy link
Owner

This is great, thanks for posting! I'll add if I can find anything more about the authentication endpoints.

@hymm
Copy link

hymm commented Aug 30, 2017

the app follows rfc7637

@carrotcn carrotcn mentioned this issue Jul 14, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ZekeSnider @hymm @freundTech