New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
2fa support for microsoft accounts #791
Comments
@MrGeorgen what would you expect would be the interface in this case? |
yeah that's one way or open the url automatically in the standard browser |
Downstream projects may want to implement this in different ways. I'd suggest a callback with the URL as the argument, and the default callback would be printing to console. |
I have a couple of methods I could look into adding this. The primary issue with using 2FA is that it requires human involvement.
Didn't have much time tonight to think about it. Will see about it in the morning. |
A simple solution is to just use the token in the launcher accounts json. This is already done for mojang accounts, it should be relatively simple to make that its own authentication method, it doesn’t have to be tied to mojang accounts. Sending the user to a page is also possible, and once the auth is complete the website will callback to the app requesting the auth. The only problem here is it requires hosting a webserver on the nmp side on localhost so the browser can redirect to it. And it gets a bit complicated for people hosting mineflayer on remote machines. To do it this way, first we’d need to implementation session refreshing otherwise the users would have to sign in manually every time. Re the device tokens, maybe that could work. |
Might I add it might be even more difficult for multi-user bots to auth. It would get time consuming. @extremeheat Any chance you know of any documentation for the launcher files? Microsoft Authentication abandons the use of Formatting of the msa_credentials file needs to be documented before I can implement it. |
Launcher_accounts.json is still used. It has the final access token used to talk to the Minecraft api/session server. I took a look at the msa credentials file, it seems to cache info from the Xbox api which is undocumented. Mojang uses a library to implement the Xbox auth, and that library is closed source, so you’ll have to reverse engineer it. Basically, the flow is: get ms auth token with Xbox scope -> get Xbox user tokens -> get XSTS -> send to Minecraft api -> mc api verifies xsts with xbox api -> server returns mc api/session server token. The Xbox user token data is stored in the msa credentials file, and it can be refreshed and used to obtain a XSTS token. But again, it’s not necessary to do this other than to be able to refresh the token. The simple fix I mentioned was to just use the mojang API token in the launcher accounts json. This is used to talk to session server and has not changed. If it expires we can just have the user login again on the official launcher. The official launcher also has support for multiple accounts at the same time. The code to do this was already created by @ph0t0shop , it just needs to be decoupled from the mojang account code. |
Currently working on 2FA support for nmp. Here's the rundown for what we need to do though.
When the xsts token has expired, use the stored refresh token to get a fresh accesstoken (see https://docs.microsoft.com/en-us/advertising/guides/authentication-oauth-live-connect?view=bingads-13#refresh-accesstoken) and go to step 3. Cudos to the @XboxReplay team for helping figure this out. |
Sounds like a lot of this should be implemented outside of nmp, possibly into the library. This isn’t Minecraft related and can be used for other non-nmp projects. The browser based way is already known, and it’s documented on wiki.vg, the problem with that was that it does not work headless. So if you run a bot for example on a remote server/the cloud, this is not an option, which is why I proposed pushing tokens. Also the current auth is very much hit or miss, it doesn’t work for me when I tried it (no 2FA) and there’s several other issues of it not working too. This is why I mentioned the hosting webserver part: the ms oauth lets you redirect to any url to send the return data to, so we can host a server in Xbox auth library, wait for a http callback -> take tokens and store them. The tokens can then be refreshed later. Also maybe the XboxReplay team can look into using the device tokens ? So the web server would not be needed at all. |
As mentioned in discord, using https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code seems pretty reasonable
Next time we go directly to step 5 |
Im a little bit unsettled, is it working now or not? Because i get an Error and i dont know how i can use my MCMicrosoftaccount to sign in. If it is possible, how? And if not when could it be possible?
|
@MikeMottonix it works only sometimes. |
@extremeheat is going to implement this I believe. I had a sudden loss in the family and I am needed somewhere else for the time - being. If it's not started by Saturday I'll start it. |
Reviewing this right now with @azure/msal-node. It seems that in order to use device code authentication you need an Azure app registered, I get 400s when trying to use the Minecraft client ID (00000000402b5328) or the Xbox Live app one in the XboxReplay library we're currently using. It seems to work fine if using one registered on Azure (that are in the UUID form). This might be due to the authority, I've tried So to do this I think either the maintainers can make a Azure app to handle the auth, or people using the library will have to individually register their own apps. There's steps on the page rom1504 posted, basically to get the client ID: |
For anyone that has a Microsoft account with Minecraft, try the fix in #806 |
Nice to Microsoft accounts are now supported. Would be nice 2 factor authentication could also be added
The text was updated successfully, but these errors were encountered: