How to define the scope for XBOX while login with xbox in laravel

Question

Here is the code:

"https://login.live.com/oauth20_authorize.srf?client_id=" +
 process.env.MIX_LIVE_CLIENT_ID +
 "&scope=service::user.auth.xboxlive.com::MBI_SSL&response_type=code&redirect_uri=" +
 process.env.MIX_LIVE_REDIRECT_URL +
 "&state=ClientStateGoesHere"

This is the scope I have created in the microsoft azure account.

scope=service::user.auth.xboxlive.com::MBI_SSL

But I am getting below error when open the page for login using xbox.

https://example.com/sign-in?error=invalid_scope&error_description=The%20provided%20value%20for%20the%20input%20parameter%20%27scope%27%20has%20not%20been%20pre-authorized%20for%20this%20client%20application.&state=ClientStateGoesHere

Answer 1

Optional Info

I have researched a lot about this and found that Xbox live scope is a service scope that is already authorized in every client. But service scope doesn't work in response_type token. It must be set to response_type: 'code'

Your Solution

Change scope to the actual service scope of Azure AD ie XboxLive.signin and another optional scope is XboxLive.offline_access to get refresh token.

By the way, I guess the service::user.auth.xboxlive.com::MBI_SSL requires ID@Xbox to use it.

Answer 2

You need to use XboxLive.SignIn scope, I guess service::user.auth.xboxlive.com::MBI_SSL scope requires some of Xbox developer program (like ID@Xbox or Xbox Creators Program)

What's the difference between these scopes?

The service::user.auth.xboxlive.com::MBI_SSL scope allow you to get authorization from the user and the user doesn't have to authorize your application manually, but it requires some of Xbox partnership program (or something like that).

The XboxLive.SignIn scope is available to all users and apps, but it requires manual authorization from user since your app is not considered "trusted" if your app doesn't have any Xbox developer program joined.