Authentication
Tracing Halo Waypoint's API Authentication with Google Chrome's Dev Tools
Starting with an new Chrome Window, Incognito to ensure we don't have an dangling cookies/auth, we open the Dev Tools and enable the 'Preserve log' setting (Network -> Preserve Log).
I usually filter out some of the noise by filtering on 'Documents', 'XHR' and 'Other'
We request a URL we know requires at least Windows Authentication.
GET https://app.halowaypoint.com/en-US/Halo4/Furiousn00b/home/
- Response Cookies
app.halowaypoint.com checks if we are authenticated (we're not) and we are redirected to a a signin URI.
Note: 'returnUrl' is our original GET request.
- Location Response Header
https://login.live.com/oauth20_authorize.srf
?client_id=000000004C0BD2F1
&scope=xbox.basic+xbox.offline_access
&response_type=code
&redirect_uri=https://www.halowaypoint.com/oauth/callback&state=https%253a%252f%252fapp.halowaypoint.com%252fen-US%252fHalo4%252fFuriousn00b%252fhome%252f
&locale=en-US
&display=touch
Note: 'returnUrl' is now recorded as 'state' - our original GET request.
We follow the Location Response Header redirect.
- urlPost (will require content scraping to reproduce)
https://login.live.com/ppsecure/post.srf
?client_id=000000004C0BD2F1
&scope=xbox.basic+xbox.offline_access
&response_type=code
&redirect_uri=https://www.halowaypoint.com/oauth/callback
&state=https%253a%252f%252fapp.halowaypoint.com%252fen-US%252fHalo4%252fFuriousn00b%252fhome%252f &locale=en-US
&display=touch
&bk=1395364789
Note: 'state' - our original GET request.
- PPFT Value (will require content scraping to reproduce)
- PPSX Value (will require content scraping to reproduce)
- Response Cookies
Using the newly scraped urlPost we POST our form data.
- Request Form Data
PPFT:[Scraped PPFT]
login:[WLID Username]
passwd:[WLID Password]
LoginOptions:3
NewUser:1
PPSX:[Scraped PPSX]
type:11
i3:[(time spent (ms) on oauth20_authorize.srf page) - use a random value]
m1:1920
m2:1080
m3:1
i12:1
i17:0
i18:__MobileLogin|1,
- Location Response Header
https://www.halowaypoint.com/oauth/callback
?code=1e4d2098-b612-ebd8-afff-74230af87902
&state=https%253a%252f%252fapp.halowaypoint.com%252fen-US%252fHalo4%252fFuriousn00b%252fhome%252f
Note: 'state' - our original GET request.
- Response Cookies
We follow the Location Response Header redirect.
- Location Response Header
Note: this is our original GET request (!)
- Cookies
We follow the Location Response Header redirect.
GET https://app.halowaypoint.com/en-US/Halo4/Furiousn00b/home/
Now that we have authenticated successfully, we can see a request to the Spartan Token.
When attempting to sign in, we used a gamers stats page as our 'returnUrl', we can instead use the Spartan Token Generator. Instead of calling:
GET https://app.halowaypoint.com/oauth/signin
?returnUrl=https%3A%2F%2Fapp.halowaypoint.com%2Fen-US%2FHalo4%2FFuriousn00b%2Fhome%2F
&locale=en-US
We can instead call
GET https://app.halowaypoint.com/oauth/signin
?returnUrl=https%3a%2f%2fapp.halowaypoint.com%2foauth%2fspartanToken
&locale=en-US
The process will remain exactly, except our final redirect will land us at the Generator.