New Steam login flow

[xPaw]

Making this issue for collecting observations.

Implementation in JS: DoctorMcKay/node-steamcommunity#292

Even Steam client uses this flow, and it no longer uses login keys for remembering password, instead it uses new access_token field in the login message. There's also refresh_token, but I don't know how will the client decide when it needs to refresh the token.

Their tokens (and cookies) are JWT tokens, you can base64 decode it and see its expiration.

For web, the jwt token expires in a day, and when it does it will redirect to login.steampowered.com which has a separate JWT token cookie set (if remember password, it expires in 207 days).

When auth has confirmation_type 6, it will do a call to /jwt/checkdevice. When login. subdomain has steamMachineAuth cookie set, this will return true and it will avoid asking for an email code.

The protos: https://github.com/SteamDatabase/Protobufs/blob/master/steam/steammessages_auth.steamclient.proto

[fcastrocs]

You can use refresh_token or access_token to log in to steamcommunity
I've implemented both methods here.
https://github.com/fcastrocs/steam-web

[Adios22]

When can we expect new SteamKit version?

[psychonic]

When can we expect new SteamKit version?

When it's ready.