Discussion on usage

[ningmeng52022]

          ## Here is another way without having to use the Battle.net App 

1. Retrieve SSO Token:

• Go to https://account.battle.net/login/en/?ref=localhost. After logging in, ignore the 404 Error, but copy the token following ST= from the URL.
  • Example: EU-84902f44j57m687039586j7egdfa0a54-1165739690

2. Get Bearer Token:

• Replace <SSO_TOKEN> with the token you got from step 1 and execute the following curl command to obtain the Bearer Token:

  curl -X 'POST' \
  'https://oauth.battle.net/oauth/sso' \
  -H "content-type: application/x-www-form-urlencoded; charset=utf-8" \
  -d "client_id=baedda12fe054e4abdfc3ad7bdea970a&grant_type=client_sso&scope=auth.authenticator&token=<SSO_TOKEN>"

  • Response:

    {"access_token":"XXX","token_type":"bearer","expires_in":0,"scope":"auth.authenticator","sub":"XXX"}

• Copy the Bearer Token to use in steps 3, 4. or 5.

3. Get Serial & Restore Codes:

• Use the Bearer Token to fetch the Serial and Restore Codes of an existing authenticator:

  curl -X 'GET' \
  'https://authenticator-rest-api.bnet-identity.blizzard.net/v1/authenticator' \
  -H 'accept: application/json' \
  -H "Authorization: Bearer <BEARER_TOKEN>"

  • Response:

    {"Restore Code": "XXX", "Serial Number": "XXX"}

4. Get Existing Authenticator Device Secret:

• Use the Bearer Token, Serial, and Restore codes to retrieve the Device Secret of an Existing Authenticator:

  curl -X 'POST' \
  'https://authenticator-rest-api.bnet-identity.blizzard.net/v1/authenticator/device' \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -H "Authorization: Bearer <BEARER_TOKEN>" \
  -d '{
    "restoreCode": "<RESTORE_CODE>",
    "serial": "<SERIAL>"
  }'

  • Response:

    {"serial":"XXX","restoreCode":"XXX","deviceSecret":"XXX","timeMs":0,"requireHealup":false}

5. Create and Add a New Authenticator:

• Use the Bearer Token to create and add a new authenticator to the users account :

  curl -X 'POST' \
  'https://authenticator-rest-api.bnet-identity.blizzard.net/v1/authenticator' \
  -H 'accept: application/json' \
  -H "Authorization: Bearer <BEARER_TOKEN>" \
  -d ''

  • Response:

    {"serial":"XXX","restoreCode":"XXX","deviceSecret":"XXX","timeMs":0,"requireHealup":false}

6. Add Authenticator to Password Manager.

• After you have obtianed the deviceSecret convert it from hex to base32 using echo "deviceSecret" | xxd -r -p | base32 on Linux/macOS or cryptii.com if on Windows

• Replace deviceSecret in the following URL: otpauth://totp/Battle.net?secret=deviceSecret&digits=8 with the newly obtained base32 device secret, and you should have a working TOTP.

Originally posted by @BillyCurtis in #38 (comment)

[stacksjb]

I just went through this, migrating to a new TOTP app (Byebye Authy, no thanks for terminating your Desktop app...)

A couple notes to help simplify:

1. If you already have an authenticator, you will do steps 3 and 4 (NOT 5) - you will request the secrets for your existing Authenticator into your TOTP app.
2. If you do NOT have an authenticator already attached, you will do step 5 (not 3 and 4), and create a new one.
   NOT both (If you try step 5 and already have an authenticator, you'll get an error that one is already attached - you can't attach a new one).

Also, for the HEX-> Base32 conversion, If you are on MacOS, they don't include base32 by default (you can install with brew, "brew install coreutils"). However, I'd just use Cyberchef (it's simpler than cryptii, doesnt' store data, and works on any platform.)

You can use this link: https://gchq.github.io/CyberChef/#recipe=From_Hex('Auto')To_Base32('A-Z2-7%3D')

[sbates]

I appreciate this a lot. I used this method to setup battle net with 1Password.

[Mazwak]

Thanks a lot.

Worked perfectly to create a new token.

You could write that you can go to step 5 (skip 3 and 4) if you don’t have one already.

[Foxtrod89]

works fine with gauth, just pass it via qr code

[PoisonFrog]

First step wasn't working in Firefox but it worked when I switched to Chromium. Thank you.

[n3ih7]

Thanks @stacksjb, this method works.

[christopherthake]

Followed this guide and eventually got it working. I found I always got an error using the built-in macos curl. Installed curl using homebrew and setup the PATH to use brew curl.

I did this for kpxc and just needed to select Custom Settings in the Setup TOTP then paste in the deviceSecret

[IceSoulZ]

Why don't I get a 404 error after the first step, but instead I'm asked to enter a validator numbe

[BillyCurtis]

Why don't I get a 404 error after the first step, but instead I'm asked to enter a validator numbe

It’s because you already have an authenticator setup. if you enter the code does it then take you to the 404 page?

[vbezhenar]

Thanks a lot. It worked for me as of today. I skipped steps 3 and 4. I'm using native Apple password manager, it works just fine.

To clarify: I removed my existing authenticator first, then I logged in blizzard.com, then followed the steps.

[viccarmel]

The following is returned when executing step 3

How should I deal with this?
please help

[vbezhenar]

Still works as of today.

I'd also add tiny snippet for hex -> base32 decoding using python (because macOS does not have base32 binary):

python3 -c 'import base64; print(base64.b32encode(base64.b16decode(input().upper())))'

[Lan-Zou]

steps 3, 4. or 5.
Response 401
ask for help me