Screenshots endpoint not pulling in the latest content

[nightsurge]

As of March 13th, Microsoft implemented some sort of changes to their API which now prevents newly captured screenshots from being returned from the mediahub or screenshotsmetadata endpoints. I believe this is all down to changes in their authentication or Signed Requests flow.

Has signed requests been implemented and actually used in this project yet? Or has anyone had a chance to look into this? I believe the maintainer of XboxReplay-Auth/API has figured out a way to get the latest information, and I know he has posted here in the past as well.

[nightsurge]

@tuxuser can you clarify how to actually use the request signer in the current examples/flow? I am trying to integrate it, as it's not currently being used, but I think it is needed.

[nightsurge]

Are there any maintainers that have had a chance to look into this? Is there any guidance on how to use the SignedRequests logic? Sorry for pinging so many people, but I can see this being a huge blocker in the near future if all new content is locked behind AUTH level changes or SignedRequests.

@tuxuser @hunterjm @Nereg @fuyutsuki @JamesTheAwesomeDude @Landcross ?

[James-E-A]

@nightsurge I'm not a maintainer, but I can tell you that the maintainers would appreciate if if you would help us help you on this request/report, such as:

• links to anybody else talking online (press release, forum thread, git commit, news report, etc.) about this — I'm not seeing anything from that other guy you mentioned
• just a quick rudimentary example code we can use to get our eyeballs on what's boutta change; I, for one, don't have an XBox, so I can't just make a screenshot at the drop of a hat. Is there any other way to get the necessaries for reproducing this?

[tuxuser]

It's not really a response that you would like or help the matter much, but current situation is the following:

• The Request signing implementation was written with the library httpx in mind, because it allows tunneling HTTP requests through some custom serializer (aka. Get URL path, headers and body) and pre-serialize the body so a distinct Signature can be calculated.
• Currently however, xbox-webapi >v2.0 is utilizing aiohttp which does NOT support that in an easy fashion, so it's not possible to use RequestSigner at this moment.

To see request signing in action, check out the authentication route in https://github.com/OpenXbox/xcloud-python

Cheers

@JamesTheAwesomeDude thanks for hinting the proper direction how issues should be created :) appreciated!

[nightsurge]

@JamesTheAwesomeDude @tuxuser

For example, when getting the latest screenshots for my gamertag, NightSurgeX2 / xuid = 2674682457276710, the most recent one that appears is either Rocket League or Destiny 2 (depending on the contract version and how weird Xbox API is being that day). However, the REAL most recent screenshot I have is from Outriders, as evidenced when I use the official Xbox mobile app to view my captures. It only shows up on Official apps right now.

I now have hundreds of users reporting this to me, that their recent screenshots are not showing up, so it definitely is widespread, but so far only isolated to Screenshots. I believe the owner of the XboxReplay repo, which has made bugs/contributions to this project in the past, has it working on some new authentication layer that he is using. Perhaps he could shed some light on it for us?

https://github.com/XboxReplay/xboxlive-auth/tree/4.0.0 @Alexis-Bize

[tuxuser]

@nightsurge
The code is there, look for something called auth - https://github.com/OpenXbox/xcloud-python

[Alexis-Bize]

👋 Right, xcloud-python has the correct scheme :) As said, I'm not sure that divulging the signing procedure is right as It may have a negative impact regarding user's security (or targeted games) if it's coupled with a custom Azure application on a non verified / partner website. My 2 cents though.

[nightsurge]

@Alexis-Bize I was able to get signing routine figured out, but it does appear that signing isn't the only piece. I also need to add the new overall authentication flow and I can't get past the part of requiring a manual entry and the auth via the browser. Has anyone figured out how to do this auth flow using their own Azure app config and get the updated auth tokens using Device, Title, and User/Access token when getting the final Xbox Live XSTS token?

[Alexis-Bize]

@nightsurge Right, I'm currently using it on HaloDotAPI services (Cryptum, Leaderboards, XUGC, etc.).

• https://cryptum.halodotapi.com/auth/redirect
• https://leaderboards.halodotapi.com

Note: The main issue with MediaHub (and *metadata endpoints) is that, even with a "signed" token, you won't be able to fetch other users' screenshots (clips are not impacted at the moment). Only the owner may retrieve them.

There's so many cases to handle so I'm using HaloDotAPI as a POC before implementing everything on XboxReplay.

[nightsurge]

@Alexis-Bize can we continue this conversation on Twitter DM, or can you send me your email/discord or something so we can chat further. I'm really interested to see the flow you used in order to get user sign on working.

I am aware of the issue with only the users' content being returned using the new auth/token, but that should not be a problem in my app/scenarios I am looking at going forward. I do have a verified Azure app and have many contacts within Microsoft/Xbox, but unfortunately none in the right place to find answers on these auth changes haha...

[nightsurge]

Is this resolved now?

[tuxuser]

No, not yet.

• Needs to be tested whether the XAL tokens enable more results from the endpoints
• XboxLiveClient / Session instances need to be abstracted, to be created from Sisu/XAL tokens