# Introduction The Passport Request Security Token (RST) service, or "Passport 3.0" as it's sometimes called, is a HTTP-based authentication system that was introduced with [MSNP12](../versions/msnp12.md). The endpoint is called `RST.srf`, residing on either the `login.passport.net` or the `login.live.com` domain. For [MSNP8](../versions/msnp8.md) to [MSNP11](../versions/msnp11.md), read the [Passport 1.4](passport14.md) article. For [MSNP18](../versions/msnp18.md) and above, read the Request Security Token service, version 2 article. (TODO: Write this, and did I get this right?) # Client/Request The following sub-headers are XML elements for the client's request. ## soap:Envelope This element has eight attributes: * `xmlns:soap`: Is always set to `http://schemas.xmlsoap.org/soap/envelope/`. * `xmlns:wsse`: Is always set to `http://schemas.xmlsoap.org/ws/2003/06/secext`. * `xmlns:saml`: Is always set to `urn:oasis:names:tc:SAML:1.0:assertion`. * `xmlns:wsp`: Is always set to `http://schemas.xmlsoap.org/ws/2002/12/policy`. * `xmlns:wsu`: Is always set to `http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd`. * `xmlns:wsa`: Is always set to `http://schemas.xmlsoap.org/ws/2004/03/addressing`. * `xmlns:wssc`: Is always set to `http://schemas.xmlsoap.org/ws/2004/04/sc`. * `xmlns:wst`: Is always seto to `http://schemas.xmlsoap.org/ws/2004/04/trust`. ### soap:Header This element only contains both the `` and `` children. #### ps:AuthInfo This element has two attributes: * `xmlns:ps`: Is always set to `http://schemas.microsoft.com/Passport/SoapServices/PPCRL`. * `Id`: Is always set to `PPAuthInfo`. This element has five children: * ``: The GUID (with braces) of the client that is authenticating. * ``: A number, usually `4`, but can be higher, or lowered to `3`. * ``: Is always set to `1`. * ``: This element is always empty. * ``: A base64-encoded binary structure that seems to be in the format of a 32-bit little endian integer of the amount of parameters, then an 32-bit little endian integer length and character data for the side of the pair, with there being a key side of the pair, and a value side of the pair. #### wsse:Security This element only contains the `` element. ##### wsse:UsernameToken This element has only one attribute: * `Id`: Is always set to `user`. This element has two children: * ``: The XML-encoded user handle of the user authenticating. * ``: The XML-encoded password of the user authenticating. ### soap:Body This element only contains the `` element. If there is only one [``](#wstrequestsecuritytoken) element, it may replace the `` element. #### ps:RequestMultipleSecurityTokens This element has two attributes: * `xmlns:ps`: Is always set to `http://schemas.microsoft.com/Passport/SoapServices/PPCRL`. * `Id`: Is always set to `RSTS`. This element contains one or multiple [``](#wstrequestsecuritytoken) elements. # wst:RequestSecurityToken This element has only one attribute: * `Id`: Is set to `RST#`, with `#` incrementing every use of this element, starting from `0`. ## wst:RequestType This element always contains the value `http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue`. ## wsp:AppliesTo This element only contains the `` element. ### wsa:EndpointReference This element only contains one of two mutually exclusive elements: 1. ``: By URL or domain name 2. ``: By service name #### wsa:Address This element contains the target domain for this security token: * `http://Passport.NET/tb`: Legacy authentication, One of these is always required (usually as `RST0`). Does not set a ``. * `messengerclear.live.com`: The domain used for solving `MBI_KEY_OLD` challenges. Uses a policy defined by the MSNP server, which is usually `MBI_KEY_OLD`. * `messenger.msn.com`: The usual domain for authenticating to the Messenger Service. Uses passport unique parameters (`?...`) defined by the MSNP server, or `?id=507` if using `messengerclear.live.com` to authenticate. * `contacts.msn.com`: Used for the [Address Book Service](abservice.md). Uses passport unique parameters (`?...`) or `MBI` (since [MSNP15](../versions/msnp15.md)). Required since [MSNP13](../versions/msnp13.md). * `messengersecure.live.com`: A secure version of `messenger.msn.com`, with unknown use. Uses `MBI_SSL`. * `spaces.msn.com`: The blog service. Uses `MBI`. * `spaces.live.com`: The blog service. Uses `MBI`. * `livecontacts.live.com`: The Live Contacts ABI, apparently a simplified version of the [Address Book Service](abservice.md). * `storage.msn.com`: The user storage service. Uses `MBI_SSL`. Required for [MSNP15](../versions/msnp15.md)'s roaming user content support. #### wsa:ServiceName This element contains the target service name for this security token: * `p2pslc.messenger.msn.com`: The peer-to-peer "slc" service. Uses `MBI_X509_CID`. ## wst:Supporting This optional element only exists if the [``](#wssepolicyreference) requires it. ### wsse:BinarySecurityToken This element has two attributes: * `ValueType`: Usually only seen set to `http://schemas.microsoft.com/Passport/SoapServices/PPCRL#PKCS10`. * `EncodingType`: Usually only seen set to `wsse:Base64Binary`. This element's value is the binary token, which has only been observed to be a PKCS#10 certificate request in SHA1-RSA format (1024 bits), with the Common Name (CN) set to `MSIDCRL`. ## wsse:PolicyReference This optional element has only one attribute: * `URI`: The security policy of this security token: * `MBI_KEY_OLD`: Calculate a challenge with the server's ``. * `MBI_KEY`: Unknown, but probably not unlike `MBI_KEY_OLD`? * `MBI`: No special parameters. * `MBI_SSL`: No special parameters and encrypted transport only. * `MBI_X509_CID`: Unknown, but based on user certificates. Only used with `p2pslc.messenger.msn.com`. * (any policy starting with `?`): Authenticate using special parameters, akin to [Passport 1.4](passport14.md). # Server/Response The following sub-headers are XML elements for the server's response. ## soap:Envelope This element has only one attribute: * `xmlns:soap`: Is always set to `http://schemas.xmlsoap.org/soap/envelope/`. ### soap:Header This element only contains the `` element. #### psf:pp This element has only one attribute: * `xmlns:psf`: Is always set to `http://schemas.microsoft.com/Passport/SoapServices/SOAPFault`. This element has nine children: * ``: Only observed to be `1`. * ``: The user's Passport Unique ID, expressed as a 16-bit captitalized hexadecimal stream. * ``: The configuration version expressed as a quadruplet. * ``: The user interface version expressed as a quadruplet. * ``: This is always `0x48803` (`PPCRL_AUTHSTATE_S_AUTHENTICATED_PASSWORD`) for successful authentications. * ``: This is always `0x0` for successful authentications. * ``: This element has the server's identification string and the following four attributes: * `Path`: Always set to `Live1`. * `RollingUpgradeState`: Always set to `ExclusiveNew`. * `LocVersion`: Always set to `0`. * `ServerTime`: A ISO 8601 timestamp that specifies the time this response was generated. * ``: This element is always empty. * ``: This element is always empty. ### soap:Body This element only contains the `` element. #### wst:RequestSecurityTokenResponseCollection This element has six attributes: * `xmlns:wst`: Is always set to `http://schemas.xmlsoap.org/ws/2004/04/trust`. * `xmlns:wsse`: Is always set to `http://schemas.xmlsoap.org/ws/2003/06/secext`. * `xmlns:wsu`: Is always set to `http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd`. * `xmlns:saml`: Is always set to `urn:oasis:names:tc:SAML:1.0:assertion`. * `xmlns:wsp`: Is always set to `http://schemas.xmlsoap.org/ws/2002/12/policy`. * `xmlns:psf`: Is always set to `http://schemas.microsoft.com/Passport/SoapServices/SOAPFault`. This element contains one or multiple [``](#wstrequestsecuritytokenresponse) elements. # wst:RequestSecurityTokenResponse This element has four required children and one optional child: * ``: The type of security token this `` is. * ``: Defines what can use this security token. * ``: The security token itself. * ``: The reference location of where the security token is stored. * `` (Optional): The proof token used for `urn:passport:legacy` tokens or `MBI_KEY_OLD` policies. ## wst:TokenType This element only contains either the value `urn:passport:legacy` or `urn:passport:compact`. ## wsp:AppliesTo This element has only one attribute: * `xmlns:wsa`: Is always set to `http://schemas.xmlsoap.org/ws/2004/03/addressing`. This element only contains the `` element. ### wsa:EndpointReference This element only contains the `` element. #### wsa:Address This element contains the target domain for this security token: * `http://Passport.NET/tb`: Legacy authentication, One of these is always required (usually as `RST0`). Does not set a ``. * `messengerclear.live.com`: The domain used for solving `MBI_KEY_OLD` challenges. Uses a policy defined by the MSNP server, which is usually `MBI_KEY_OLD`. * `messenger.msn.com`: The usual domain for authenticating to the Messenger Service. Uses passport unique parameters (`?...`) defined by the MSNP server, or `?id=507` if using `messengerclear.live.com` to authenticate. * `contacts.msn.com`: Used for the [Address Book Service](abservice.md). Uses passport unique parameters (`?...`) or `MBI` (since [MSNP15](../versions/msnp15.md)). Required since [MSNP13](../versions/msnp13.md). * `messengersecure.live.com`: A secure version of `messenger.msn.com`, with unknown use. Uses `MBI_SSL`. * `spaces.msn.com`: The blog service. Uses `MBI`. * `spaces.live.com`: The blog service. Uses `MBI`. * `livecontacts.live.com`: The Live Contacts ABI, apparently a simplified version of the [Address Book Service](abservice.md). * `storage.msn.com`: The user storage service. Uses `MBI_SSL`. Required for [MSNP15](../versions/msnp15.md)'s roaming user content support. ## wst:LifeTime This element has two children: * ``: The ISO 8601 timestamp of when this security token was generated. * ``: The ISO 8601 timestamp of when this security token expires. ## wst:RequestedSecurityToken This element has different children based on the value of the [``](#wsttokentype) element. ### [urn:passport:legacy children] These elements are only included in `` if the value of [``](#wsttokentype) element is set to `urn:passport:legacy`. #### EncryptedData This element has three attributes: * `xmlns`: This is always `http://www.w3.org/2001/04/xmlenc#`. * `Id`: This is always set to `BinaryDAToken#`, with the `#` being incremented every use of the `` element starting from `0`. * `Type`: This is always set to `http://www.w3.org/2001/04/xmlenc#Element`. ##### EncryptionMethod This empty element has only one attribute: * `Algorithm`: This is always set to `http://www.w3.org/2001/04/xmlenc#tripledes-cbc`. ##### ds:KeyInfo This element has only one attribute: * `xmlns:ds`: This is always set to `http://www.w3.org/2000/09/xmldsig#`. This element only has one child: * ``: Only observed to be `http://Passport.NET/STS` ##### CipherData This element has only one child: * ``: Likely to be a Passport Token of some kind, just 3DES encrypted. (If you know how this is used, please contact me!) ### [urn:passport:compact children] These elements are only included in `` if the value of [``](#wsttokentype) element is set to `urn:passport:compact`. #### wsse:BinarySecurityToken This element has only one attribute: * `Id`: This is always set to `Compact#`, with the `#` being incremented every use of the `` element starting from `0`. This element contains the Passport token and profile parameters as a XML-encoded value. (`t=token&p=profile`) ## wst:RequestedTokenReference This element has two children: * ``: This empty element has only one attribute: * `ValueType`: This is either `urn:passport` or `urn:passport:compact`. * ``: This empty element has only one attribute: * `URI`: The URI that has the contents of the security token. Usually refers to the first child of the `` element via it's `Id` attribute, using the `#` prefix followed by the value of the `Id` attribute. ## wst:RequestedProofToken This optional element only has one child: * ``: The binary secret for this token # RST.srf ## Basic Request *Only in [MSNP12](../versions/msnp12.md).* ### Client/Request ``` POST /RST.srf HTTP/1.1 Cache-Control: no-cache Content-Type: text/xml; charset=utf-8 Content-Length: {data-length} {7108E71A-9926-4FCB-BCC9-9A9D3F32E423} 4 1 AQAAAAIAAABsYwQAAAAyMDU3 http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue http://Passport.NET/tb http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue messenger.msn.com ``` Where `data-length` is the total size of the XML document with the placeholders changed to their correct values. Where `user-handle` is the XML-encoded user handle of the user to authenticate. Where `password` is the XML-encoded password of the user to authenticate. Where `server-args` is the parameter given to the server's response to the initial [USR](../commands/usr.md). ### Server/Response *NOTE: The legacy Passport token has been removed to prevent issues with scrolling.* ``` HTTP/1.1 200 OK Content-Type: text/xml; charset=utf-8 Content-Length: 3557 1 0000000100000002 3.0.869.0 3.0.869.0 0x48803 0x0 yellows111 2024.11.22.14.45.20 urn:passport:legacy http://Passport.NET/tb 2024-11-22T14:45:20Z 2024-11-22T14:45:20Z http://Passport.NET/STS [[removed intentionally]] AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= urn:passport:compact messenger.msn.com 2024-11-22T14:45:20Z 2024-11-22T14:45:20Z t=token&p=profile ``` ## With contacts.msn.com *Only in [MSNP13](../versions/msnp13.md) and [MSNP14](../versions/msnp14.md).* ### Client/Request ``` POST /RST.srf HTTP/1.1 Cache-Control: no-cache Content-Type: text/xml; charset=utf-8 Content-Length: {data-length} http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue http://Passport.NET/tb http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue messenger.msn.com http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue contacts.msn.com ``` Where `data-length` is the total size of the XML document with the placeholders changed to their correct values. Where `user-handle` is the XML-encoded user handle of the user to authenticate. Where `password` is the XML-encoded password of the user to authenticate. Where `server-args` is the parameter given to the server's response to the initial [USR](../commands/usr.md). ### Server/Response *NOTE: The legacy Passport token has been removed to prevent issues with scrolling.* ``` HTTP/1.1 200 OK Content-Type: text/xml; charset=utf-8 Content-Length: 4382 1 0000000100000002 3.0.869.0 3.0.869.0 0x48803 0x0 yellows111 2024.11.22.14.45.20 urn:passport:legacy http://Passport.NET/tb 2024-11-22T14:45:20Z 2024-11-22T14:45:20Z http://Passport.NET/STS [[removed intentionally]] AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= urn:passport:compact messenger.msn.com 2024-11-22T14:45:20Z 2024-11-22T14:45:20Z t=token&p=profile urn:passport:compact contacts.msn.com 2024-11-22T14:45:20Z 2024-11-22T14:45:20Z t=token&p=profile ``` ## WIth MBI\_OLD\_KEY *Since [MSNP15](../versions/msnp15.md).* ### Client/Request ``` POST /RST.srf HTTP/1.1 Cache-Control: no-cache Content-Type: text/xml; charset=utf-8 Content-Length: {data-length} http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue http://Passport.NET/tb http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue messengerclear.live.com http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue messenger.msn.com http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue contacts.msn.com ``` Where `data-length` is the total size of the XML document with the placeholders changed to their correct values. Where `user-handle` is the XML-encoded user handle of the user to authenticate. Where `password` is the XML-encoded password of the user to authenticate. *NOTE: Technically `MBI_KEY_OLD` is just defined by the server's response to the initial [USR](../commands/usr.md).* ### Server/Response *NOTE: The legacy Passport token has been removed to prevent issues with scrolling.* ``` HTTP/1.1 200 OK Content-Type: text/xml; charset=utf-8 Content-Length: 5427 1 0000000100000002 3.0.869.0 3.0.869.0 0x48803 0x0 yellows111 2024.11.22.14.45.20 urn:passport:legacy http://Passport.NET/tb 2024-11-22T14:45:20Z 2024-11-22T14:45:20Z http://Passport.NET/STS [[removed intentionally]] AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= urn:passport:compact messengerclear.msn.com 2024-11-22T14:45:20Z 2024-11-22T14:45:20Z t=token&p=profile AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= urn:passport:compact messenger.msn.com 2024-11-22T14:45:20Z 2024-11-22T14:45:20Z t=token&p=profile urn:passport:compact contacts.msn.com 2024-11-22T14:45:20Z 2024-11-22T14:45:20Z t=token&p=profile ```