question

Miguel Cartaxo avatar image
Miguel Cartaxo asked

LoginWithXbox on Windows returning "Not Authorized by Title" error

Hello,

We're in the process of porting our game to Microsoft store on Windows, but we've encountered a problem during the login procedure. We use Playfab as our backend for managing player accounts and we can login successfully on the store. After that, we get the player's token by calling XalUserGetTokenAndSignatureSilentlyAsync() for the URL "https://playfabapi.com/" (POST) and we get a valid token.

During the second part of the login procedure we try to login on PlayFab's backend, and in this case use PlayFabClientAPI::LoginWithXbox(), passing the token we've just acquired. We assume this is the right Playfab function call, as we want to connect through Xbox Live service. But we get a login error returned, a 403 http code "Forbidden" with error "NotAuthorizedByTitle - Action not authorized by title".

Do we need to enable some option in Microsoft Partner Center or in our game's PlayFab product page to have the login work? If so, where can we find it?

Thanks

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
brendan avatar image
brendan answered

That error means that your title has been configured to not allow that API call (API Access Policy - PlayFab | Microsoft Docs). Which is a good best practice - we always recommend that teams disable all the API calls they're not using when they ship their games. But yes, it can trip you up when you circle back to add new functionality. You can check your current API Policy with Authentication - Get Policy (PlayFab Admin) | Microsoft Docs and you can update it with Authentication - Update Policy (PlayFab Admin) | Microsoft Docs.

18 comments
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Miguel Cartaxo avatar image Miguel Cartaxo commented ·

Hi Brendan,

Thanks for the suggestion, that was the issue, we revised our API call whitelist and that issue is solved. However, we are now getting a "InvalidXboxLiveToken" error but the token we get from XalUserGetTokenAndSignatureSilentlyAsync() seems correct.

Begin of a token:

XBL3.0 x=*;eyJlbmMiOiJBMTI4Q0JDK0hTMjU2IiwiYWxnIjoiUlNBLU9BRVAiLCJjdHkiOiJKV1QiLCJ6aXAiOiJERUYiLCJ4NXQiOiJ0aVkxX3VwVmVyeHVPd2tTM0lhVndjVi1pUHcifQ.U024hKp2WbRrdodT

Any ideas? Do we need to do some other setup on our PlayFab product page?

1 Like 1 ·
brendan avatar image brendan Miguel Cartaxo commented ·

Tokens do start with "XBL3.0=", so that looks like it could be correct. Do you have a Fiddler capture of the exchange?

0 Likes 0 ·
Miguel Cartaxo avatar image Miguel Cartaxo brendan commented ·

I'm unable to get a correct fiddler capture. If I have fiddler running I get "Request timeout or null response" and the only thing I can see related to playfab is a tunnel to request (attached).54-full.txt

When I call XalUserGetTokenAndSignatureSilentlyAsync(), does the POST request to "https://playfabapi.com/" need a specific header or body?

0 Likes 0 ·
54-full.txt (1.9 KiB)
Show more comments
Show more comments
Miguel Cartaxo avatar image Miguel Cartaxo Miguel Cartaxo commented ·

The order of the functions is pretty much the flow. We get the token in CacheXboxLiveToken(), if that's successful we call XboxLoginSuccess() and save the token in UserContextMap.

Afterwards, we try to login in Playfab with BeginLoginWithXBLAccount() by, first getting the token we've cached, calling TryGetPlatformAuthToken() and GetAuthToken(), which we've verified that it returns the same token that we got in the first place with CacheXboxLiveToken(); and second then we create the request with the token and make the request itself.

0 Likes 0 ·
brendan avatar image brendan Miguel Cartaxo commented ·

Yes, when I looked at it earlier, I just skimmed it, so I didn't notice the way you were using your AsyncBlock, so no worries there.

But I just looked at the log for your call again, and this is one of those "if it was a snake it would have already bitten me" things - I was looking for something more complex. The issue is that the token isn't for a user - it's for "all users" (allUsers = true).

Tokens can contain more than one person, since you can have multiple people signed in on a console. The x value ("XBL3.0 x={ {some number}}") tells us what specific user to look for in the token. If you look at your tokens, you'll see that yours have "XBL3.0 x=*", which means "all users in this token", which doesn't allow us to use it to sign in an individual. For completeness, "XBL3.0 x=-" is also possible - it means "no users in this token".

1 Like 1 ·
Show more comments
Jørgen Havsberg Seland avatar image Jørgen Havsberg Seland commented ·

@brendan When you say playfab is a base service, I assume that this means that any relying party setup on our part will actually just break things?

One part of the relying party setup is the encryption key used by XBL to encrypt the xbox tokens before sending them to the user. Presumably, since you are a base service, you have your own setup for this.

Us adding a relying party configuration likely overrides this with our encryption key, causing the tokens to be encrypted for our eyes only, making playfab unable to decrypt the JWT token and extract the claims.

Is this a reasonable hypothesis?

0 Likes 0 ·
brendan avatar image brendan Jørgen Havsberg Seland commented ·

As a base service, no specific Relying Party setup should be required. Having one shouldn't impact use of PlayFab, but to be safe, I would recommend removing it.

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.