investigate iOS OAuth

[gxcreator]

Hi Guys, I am currently reversing the Google Music protocol on iOS devices to be able to login using OAuth2 and stuck with following: I am able to get cookie and code(as header) in browser, but it is useless, because google service login stop at "Please wait" and not showing code to user.

Steps:

https://www.googleapis.com/oauth2/v3/authadvice?chrome_installed=true&client_id=228293309116.apps.googleusercontent.com&client_state=ChwIm_eo88XliL49KhAIvcOr5aUoEPPxiJLuKBgDChIiEAi-kO2ClygQn7_WsYUpGA0SAzEuMA&device_name=iPhone%2032Gb&hl=ru&lib_ver=1.0&mediator_client_id=936475272427.apps.googleusercontent.com&package_name=com.google.PlayMusic&redirect_uri=com.google.sso.228293309116%3A%2FauthCallback

returns back with login URL in body:

{
    "advice_code": "EMBEDDED",
    "uri": "https://accounts.google.com/o/oauth2/programmatic_auth?client_id=936475272427.apps.googleusercontent.com&delegated_client_id=228293309116.apps.googleusercontent.com&scope=https://www.google.com/accounts/OAuthLogin&access_type=offline&device_name=iPhone+32Gb&auth_extension=AH-1Ng2Piw79blZ3b-BzDOVg1fxNnibTcu8JB_yHxBU34nr2EJubqO7G6yBbKG4dR28aD21FCP1K_mlz95JdUpiiBGsQI4uVZ2--Z5W6dODTTlElP5R3NYw&as=-e82ab12e6ff76cf&hl=ru",
    "client_state": "ChwIm_eo88XliL49KhAIvcOr5aUoEPPxiJLuKBgDChIiEAi-kO2ClygQ0ZzgioYpGA4SAzEuMA"
}

Then this url will return

<html>
    <head>
        <style>
      body {
        padding-top: 100px;
      }
      img {
        display: block;
        height: 19px;
        margin: auto;
        width: 19px;
      }
      p {
        font-family: Arial, sans-serif;
        font-size: 14px;
        text-align: center;
      }
    </style>
    </head>
    <body  >
        <img src="//ssl.gstatic.com/ui/v1/activityindicator/loading.gif" alt="" height="19" width="19">
            <p>Please wait...</p>
        </body>
    </html>

And code will be sent back as cookie. But it is still not acceptable for using in web services - it is unable to get this code back(forcing user to copypaste cookies is a bad way lol).

Another possible way to get limited access to playlists via oauth:

Redirect user to url like

https://accounts.google.com/o/oauth2/auth?access_type=offline&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fskyjam&response_type=code&client_id=378918276402-thathobjo25mqcu1ogjefj6u2cb1ghqj.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Fwww.example.com%2Foauth2callback

Then use Oath request to https://accounts.google.com/o/oauth2/token with obtained code(can be showen to user if redirect uri is urn:ietf:wg:oauth:2.0:oob in previous request)
then
you will get a responce with headers like

    { Authorization: 'Bearer ya29.fACYRO11wwVjWtQo90000zGEeet6oM_85BIeI900000000000',
     'User-Agent': 'google-api-nodejs-client/1.0.12',
     host: 'www.googleapis.com',
     accept: 'application/json' },

And with this Bearer .... token you can access https://www.googleapis.com/sj/v1beta1/playlists and other api endpount.
But the main problem here is that I dont know how to request playlist content(playlist list are ok via /playlists GET) via this v1beta1 interface. https://www.googleapis.com/sj/v1beta1/plentryfeed just gives empty output.
And other API version that is available via client login give Error 403, so just v1 beta can be used this way.

Do you guys have any ideas on this?

[simon-weber]

Nice work!

I believe the first flow you describe is what I refer to here. It's not specific to Google Music and isn't particularly helpful for us (because of the copy/paste you mentioned).

The second flow is interesting. I knew there was a GM-specific scope, but I had imagined it was restricted to the iOS endpoints. My guess is that it working for v1beta1 is a bug, and Google would probably lock it down if they knew about it.

[simon-weber]

I tried the skyjam scope with the newer android api versions and it's still not enabled:

{
  "error": {
    "code": 403, 
    "message": "Access Not Configured. The API is not enabled for your project, or there is a per-IP or per-Referer restriction configured on your API key and the request does not match these restrictions. Please use the Google Developers Console to update your configuration.", 
    "errors": [
      {
        "domain": "usageLimits", 
        "message": "Access Not Configured. The API is not enabled for your project, or there is a per-IP or per-Referer restriction configured on your API key and the request does not match these restrictions. Please use the Google Developers Console to update your configuration.", 
        "reason": "accessNotConfigured", 
        "extendedHelp": "https://console.developers.google.com"
      }
    ]
  }

I'm trying now to enable the api for a custom project. Even though skyjam isn't in the list, I do get a different response when I try to enable it than I do for nonsense api names.

[simon-weber]

Bummer; I can't seem to get that to work. The request format is correct, but requesting skyjam just returns a 500.

[michael-lumley]

FWIW to those who stumble across this thread - I was able to get the v1beta1 skyjam scope working by requesting https://www.googleapis.com/auth/skyjam but found that the v1beta1 scope does not have any visibility on All Access tracks.

[simon-weber]

This scope works perfectly with the ios-specific endpoints! It even allows for custom projects and redirects, meaning that combined with the music manager api, we should have roughly full functionality supported under oauth!

Here's a request example:

curl -H "Content-Type: application/json-rpc; charset=utf-8" --data-binary '{"method":"sj.tracks.list","id":"gtl_15","jsonrpc":"2.0","params":{"updated-min":0,"refresh":"0","hl":"en_US","max-results":5000,"tier":"aa"},"apiVersion":"v1.2"}' https://www.googleapis.com/rpc?prettyPrint=false

and response:

{"id":"gtl_15","result":{"kind":"sj#trackList","data":{"items":[{"kind":"sj#track","id":"aaac2686-24de-3556-9211-b97f10d40a9a","clientId":"U1G27KmofFcEL3q0p7gP+Q","creationTimestamp":"1432469236864989","lastModifiedTimestamp":"1433012408006451","recentTimestamp":"1432469252522000","deleted":false,"title":...

I'll be slowed down by my lack of an ios device, but hopefully I can borrow one from a friend to get more request examples. Or, Venmo or paypal simon@simonmweber.com a few bucks if you want to chip in towards one 😁

[michael-lumley]

Were you able to get anything all-access related? I had this up and working, but all I ever got out of it were uploaded tracks, not all-access. What token are you sending with the request?

[simon-weber]

I haven't tried anything relating to AA, but I expect it to work.

Just to be clear, #290 (comment) is using a different set of endpoints from what you mentioned in #290 (comment). It makes sense that AA information isn't returned from the ones you were using, since the api version is from before it existed.

[simon-weber]

Bummer, it would appear that Google has whitelisted these endpoints to their clients since I last tried. This means:

• no custom consent screens
• no custom redirects (only the installed app redirects)

Still, it's an improvement to have a scope that's actually limited to Google Music (unlike the mobileclient's global-access scope).

If you're interested in working on the ios protocol, here's a skeleton to work off of: https://github.com/simon-weber/gmusicapi/tree/iosclient.

[simon-weber]

...maybe past Simon was wrong? I tried this just now and everything worked fine: custom consent screen, custom web redirect, and rpc request.

[ghost]

@simon-weber any new discoveries in this area, or anything experimental I could look at? The current way of logging in definitely has its drawbacks - sometimes generates "suspicious activity notices" from Google, for instance.

[simon-weber]

18675d4 has ios oauth working and an implementation of a simple call. You can change the oauth details on 18675d4#diff-4259664e83e9b6a6330a14eeb4c02dfcR14 to your own application if you're interested in replicating the custom consent screen + redirect.

Someone looked into ios streaming in irc and found that the store id slt/sig computation is the same as on android (ie mobileclient). They didn't get library ids working (ie, those that don't start with T).

[simon-weber]

Google seems to have moved away from the separate ios interface in favor of the mobileclient interface which we already have implemented, so we'll be tracking normal OAuth support over in #426 (comment).