Microsoft account log in

[maxsupermanhd]

I assume Yggdrasil authentication system can not log in with Microsoft credentials since it failed for me, is there a way to authenticate with migrated account?

[Tnze]

By following this guide you can get the mc access token which is called AsTk in go-mc, the username and the uuid. Then fill these into your client.Auth.

The progress is not provided by go-mc. Because it involves calling browser and handling redirect. And the user of go-mc should chose the appropriate implement scheme as needed.

[maxsupermanhd]

Yeah, thank you so much, having to implement or use web view for this things is so wrong however people at mineflayer made a very interesting thing, they are showing you some kind of an authorization code to enter on a microsoft website that allow them to proceed a log in. It looks like an easy thing to implement too, no need to even touch client credentials - just prompt to log in via browser.

[Tnze]

That could be a good idea. Just like we do half of works and expose the interface of browser things.

However Microsoft is making a great improve of security, the author of third-party launcher never hold the user's password and collect it in the dark - either browser or web view is a black-box for most developer.

[maxsupermanhd]

So I spent few (6) hours and designed web-view based authentication scheme, should I open PR or you will just take a look and decide? This authorization hell indeed require window so I created one with https://github.com/webview/webview but it can not close because of issue 588 however it is fully functional and I even joined multiplayer server. Have no idea how this passing to browser works but regardless - it is really complex and there is no shortcuts: Microsoft, XBL, XSTS, MC and profile.

P.S. I don't actually care about it implementing here, I did it inside my other project just for myself. I will invite you to repo for you to check out if you decide.

[maxsupermanhd]

Also, it is not a black box, in my implementation I cache Microsoft authorization forever since I got token and refresh token. Sure credentials will be not touched (can be still sniffed with js injection tho) but token is something you can not revoke easily when with credentials you are just changing password or whatever (2fa is for masterminds I suppose at this point (I have it on my Microsoft account and suggest everyone else))

[Tnze]

But can you send your token to another device (for example, the IP address is changed) and keep it works good?

[maxsupermanhd]

But can you send your token to another device (for example, the IP address is changed) and keep it works good?

Yes it does.

[Tnze]

I'll check it tomorrow.

[Tnze]

Can I use BSD library (golang.org/x/oauth2) in MIT project?

[spbinns]

Can I use BSD library (golang.org/x/oauth2) in MIT project?

Yes

https://softwareengineering.stackexchange.com/questions/278126/is-it-legal-to-include-bsd-licensed-code-within-an-mit-licensed-project

[maxsupermanhd]

Also for some reason I was completely blind, it is called device authorization flow and it is very similar to what I have now, just replaces browser with redirect for a pooling of url with code with a bit of a logic. Should I implement it and open PR or you will take it a try by yourself?

[Tnze]

I would like to have a try.

[maxsupermanhd]

Well, I was impatient https://github.com/maxsupermanhd/go-mc-ms-auth

[Tnze]

That's cool. You can link to your lib from my readme so that others can know.

Then I'll give up implementing this in go-mc. Just give me the Name, UUID and AsTk, and then it will works.