Skip to content

More info on Authentication #1

New issue
New issue
Open
Open
More info on Authentication#1
@freundTech

Description

@freundTech
freundTech
opened on Aug 16, 2017 · edited by freundTech

I did a bit of research and while I still don't fully understand how auth works I have some additional information. I'm creating an issue instead of a PR, as this isn't finished yet.

URL: https://accounts.nintendo.com/connect/1.0.0/authorize
Method: GET
Parameters:

  • state:
    • Length: 51 characters
    • Format: [a-zA-Z]. Not base64.
    • Generation: Unknown. New content every time the login button is clicked. Even if user didn't log in after previous login button click. Probably random
    • Optional: No
    • Can be changed: Yes. Site loads content if changed and even if parameter is present but empty
    • Use: Influences session_token and is returned as state.
  • redirect_uri:
    • Format: Android App URI / iOS App URI
    • Generation: static
    • Value: npf71b963c1b7b6d119://auth (Nintendo Switch Online)
      npf54789befb391a838://auth (Nintendo Switch Parental Controls)
    • Optional: No
    • Can be changed: Unknown. Site reports 400 Bad Request when changing content. Probably a whitelist (TODO: Find other valid URIs).
    • Use: Site to be redirected to after successful login.
  • client_id:
    • Length: 17
    • Format: hex
    • Generation: static
    • Value: 71b963c1b7b6d119 (Nintendo Switch Online)
      54789befb391a838 (Nintendo Switch Parental Controls)
    • Optional: No
    • Can be changed: Unknown. Site reports 403 Forbidden when changing content. Probably a whitelist (TODO: Find other valid IDs).
    • Use: Client ID
  • scope:
    • Format: Space (encoded as %20) separated list
    • Generation: static
    • Value: openid user user.birthday user.mii user.screenName (Nintendo Switch Online)
      openid user user.mii moonUser:administration moonDevice:create moonOwnedDevice:administration moonParentalControlSetting moonParentalControlSetting:update moonParentalControlSettingState moonPairingState moonSmartDevice:administration moonDailySummary moonMonthlySummary (Nintendo Switch Parental Controls)
    • Optional: No
    • Can be changed: Yes. Requesting less permissions is possible. List can't be empty. More might be possible if valid values are known.
    • Use: List of information the app wants to access
  • response_type:
    • Format: String
    • Generation: static
    • Value: session_token_code
    • Optional: No
    • Can be changed: Unknown. Site reports 400 Bad Request when changing content. Probably a whitelist (TODO: Find other valid Return Types).
    • Use: What to return for authentication
  • session_token_code_challenge:
  • session_token_code_challenge_method:
    • Format: String
    • Generation: static
    • Value: S256
    • Optional: No
    • Can be changed: Unknown. Site reports 400 Bad Request when changing content. Probably a whitelist (TODO: Find other valid challenge methods).
    • Use: Method to use for proof for key code exchange (See https://tools.ietf.org/html/rfc7636#appendix-B)
  • theme:
    • Format: String
    • Generation: static
    • Value: login_form
    • Optional: Yes
    • Can be changed: Unknown. Site reports 400 Bad Request when changing content. Probably a whitelist (TODO: Find other valid themes).
    • Use: Site theme

Response: HTML Site

Redirects to new URI after successful login:
URI: redirect_uri parameter
Parameters:

  • session_state:
    • Format: hex
    • Length: 65 bytes
    • Generation: static or user dependent. Has to be tested
    • Value: Not sure if this can be public
    • Use: Unknown. Maybe local use only
  • session_token_code:
    • Format: JSON web token (3 parts separated by dots. Signature algorithm, content and signature. All as base64url)
    • Generation: 1st part static, rest serverside
    • Value: 1st part {"alg":"HS256"}
    • Use: Key for future authentication
  • state:
    • Same as state parameter in request

TL;DR: We can't use the AUTH api, as redirect_uri seems to be using a whitelist. We don't know how state is generated, but it probably doesn't matter (I haven't tested making requests with a random state yet, but the login works)

EDIT: I don't know a lot about web Authentication, but I would guess that it uses OAuth 2.0, in which case the state would be random.

EDIT2: Added some values from the Switch Parental Control app

Activity

freundTech
changed the title [-]More into on Authentication[/-] [+]More info on Authentication[/+] on Aug 17, 2017
ZekeSnider

ZekeSnider commented on Aug 18, 2017

@ZekeSnider
ZekeSnider
on Aug 18, 2017
Owner

This is great, thanks for posting! I'll add if I can find anything more about the authentication endpoints.

hymm

hymm commented on Aug 30, 2017

@hymm
hymm
on Aug 30, 2017

the app follows rfc7637

carrotcn
mentioned this on Jul 14, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @ZekeSnider@hymm@freundTech

        Issue actions
          More info on Authentication · Issue #1 · ZekeSnider/NintendoSwitchRESTAPI