Staying Logged in with new Auth Flow?

[ABaumher]

Disclaimer: I am working on GOG Galaxy's Steam Integration. I've credited this project as the basis for our new auth flow in our current readme. We don't use any code directly, and our structure is completely different so we can't do a straight port (even though i really, really want to lol.) We have looked at the service method calls you make so we could do the same. If you require any license changes for this information, let us know. We currently are under MIT license.

If i understand correctly (based on what you have at https://github.com/SteamRE/SteamKit/tree/master/Samples/1a.Authentication) we can properly store the refresh token and username, then keep the user logged in using the classic login process defined at https://github.com/SteamRE/SteamKit/tree/master/Samples/1.Logon, except provide the username and refresh token. Am i correct here? If so, i could reuse code written before i started working on this and that would be fantastic.

It seems weird that I don't have to exchange the refresh token for an access token before calling that. I found a message in the auth protobuf file that appear to deal with that, CAuthentication_AccessToken_GenerateForApp_Request, but if the refresh token is all i need, i'll ignore that message.

[yaakov-h]

My understanding is the same, the refresh token from the new APIs gets used by the classic login.

IIRC if you provide an access token instead of a refresh token, it will reject you.

[ABaumher]

Ty. Do we still need to send the cmsg heartbeats? I assume we do but thought i saw they were deprecated, idr.

[yaakov-h]

I assumed so as well, I don't remember any deprecation but I also haven't been paying close attention in months.

[ABaumher]

I'm getting rejected, both using SteamKit and our stuff, both with AccessDenied

For testing, i did
Console.WriteLine(pollResponse.RefreshToken); immediately after https://github.com/SteamRE/SteamKit/blob/master/Samples/1a.Authentication/Program.cs#L73, copied it, exited the program, then commented out all the new auth flow calls so i just had the following.:

	async void OnConnected(SteamClient.ConnectedCallback callback)
	{
		Console.WriteLine("Connected to Steam! Logging in '{0}'...", user);

		steamUser.LogOn(new SteamUser.LogOnDetails
		{
			Username = "<redacted-hard-coded-username>",
			AccessToken = "<redacted-hard-coded-refresh-token>"
		}) ;
	}

The output was Unable to logon to Steam: AccessDenied / AccessDenied

Any suggestions?

Edit: Just want to point out i wouldn't be storing the refresh token as raw text, it's enciphered and dumped to a database cache, but i have the raw copy-paste hard-coded here to test.

[yaakov-h]

I didn't need to do that in SteamRE/DepotDownloader#401

[ABaumher]

Huh. No idea then.
Looks like you have ShouldRememberPassword set to true. I left it unset, and iirc C# defaults that to false (or null if it's nullable). I can check to see if that makes a difference

Edit: The sample has persistent session set to false. Might work if that's true, let me check

[ABaumher]

Setting IsPersistentSession = true, in var authSession = await steamClient.Authentication.BeginAuthSessionViaCredentialsAsync(new AuthSessionDetails... and ShouldRememberPassword = true, in steamUser.LogOn(new SteamUser.LogOnDetails had no effect.

[ABaumher]

The only other thing i'm missing in the sample you have in DepotDownloader is a proper LoginID.
Would AccessDenied proc if, for example, i was logged on using Steam at the same time, (or any of the dozens of broken debug instances i've made over the last two weeks, for that matter)?

[yaakov-h]

It shouldn't. I haven't played with duplicate LoginIDs in a while but previously it would just kick out your other Steam instance.

[ABaumher]

Attempting to stay logged in with DepotDownloader didn't work for me. The login token list was empty. So at this point i have no idea. This may have been because i'm not overly familiar with the tool, if i'm being honest though.

[ABaumher]

Nevermind, I stay logged in with DepotDownloader. When i figure out why, I'll let you know. Is this something you'd want to make a sample for or is there potential for abuse/shady use?

[ABaumher]

My understanding is the same, the refresh token from the new APIs gets used by the classic login.

IIRC if you provide an access token instead of a refresh token, it will reject you.

This is correct. However, if you want the session token to be available after your initial login, you must have ShouldRememberPassword = true during the initial login. In other words, https://github.com/SteamRE/SteamKit/blob/master/Samples/1a.Authentication/Program.cs#L65-L69 needs to be

    steamUser.LogOn( new SteamUser.LogOnDetails
    {
        Username = pollResponse.AccountName,
        AccessToken = pollResponse.RefreshToken,
        ShouldRememberPassword = true,
    } );

Otherwise, the next time you go to use that refresh token, it's no longer valid.