403 for Session Directory URIs

[arnerak]

Hey there,

I'm trying to query session directory URIs. However I'm getting 403 Forbidden when using the XToken that the webapi is using for the other services.

When I copied the Authorization Header that Windows 10's GameBar app uses for RESTApi calls it gave me working results.
For reference, e.g.
GET https://sessiondirectory.xboxlive.com/serviceconfigs/00000000-0000-0000-0000-000066591171/sessiontemplates
should give us
{"results":["ServerLargeSession", "LargeShipSessionTemplate", "SmallShipSessionTemplate", "MediumShipSessionTemplate", "LobbySession"]}

GameBar's Authorization Header has the same XBL3.0 x=<hash>;<token> format, however both hash and token differ from xbox-webapi-csharp Authorization header, despite using the same Live account. Do you know where this hash and token info comes from?

Thanks!

[tuxuser]

Hey,

I dunno exactly which scopes the XToken of GameBar has, but its definetly entitled differently.

So it could be 2 things:

• Different scope for the token
• XToken could have be authorized with Title/Device/ServiceToken

You could try SSL decryption of Fiddler https://www.telerik.com/download/fiddler

[arnerak]

Thanks for your reply!
I'm not completely sure, but I think the session directory API is only accessible with XTokens authorized by Service tokens. Bummer!

My goal is to get the current session handle of a befriended xuid. If somebody knows an alternative besides sessiondirectory.xboxlive.com and multiplayeractivity.xboxlive.com, or a way to use them with a User token, I would be glad to hear it!
Thanks

[geosage]

did u fix this?