Migration to Microsoft accounts

[sammko]

https://www.minecraft.net/en-us/article/java-edition-moving-house.
Currently waiting for technical details, closely watching any development over at MultiMC.

[sammko]

https://wiki.vg/Microsoft_Authentication_Scheme

[sammko]

The plans of Mojang to release a solution for 3rd party launchers are, as far as i can tell, dead. The wording on the FAQ page has changed from Wait for further information to " Build and use third-party launchers at your own risk". MultiMC discord also has some information supporting this.

Will still probably wait to see how MultiMC does it, but it is likely that a proper solution will require backend infrastructure to hold the MSA private key. (Or abuse the infra that the official launcher uses, but that is probably a bad idea)

[sammko]

Idea: add an option for pulling the accessToken from the vanilla launcher. I think it can then be refreshed normally? This would require the user to login once using the vanilla launcher. It might be an okay compromise before implementing a proper solution.

[Lukasz825700516]

Hi, are there any plans on implementing new login system into picomc in nerby feature?

[sammko]

Sorry, no concrete timeline at this point

[sammko]

I did some research, we can use the device code flow, which seems the easiest to implement (no need to listen for a redirect callback) and also does not require use of the client_secret. The process would be as follows:

1. Run a picomc command, I guess picomc account authenticate <name>. This would give the user a link, currently https://www.microsoft.com/link and the code to enter there.
2. picomc can either periodically check the /token endpoint to see if the user has finished the flow, or just wait until the user confirms in the CLI that picomc can continue the flow. This returns an access_token and a refresh_token. The access_token is only valid for a short time (1 hour?), so the refresh_token needs to be stored to be able to get a new pair.
3. The access_token is used to get an XBL token
4. The XBL token is use to get an XSTS token
5. The XSTS token is used to get a classic minecraft access token which can be used to launch the game.

This flow doesn't require the Microsoft account to actually own the game, we can check that separately to warn the user.

I wanted to rewrite the account handling code first though, it's not very nice. I would like to have a look at this in the somewhat near future. I've just migrated my own account to be able to test this, so that's some motivation.

[sammko]

So it's in master now. A question which remains is whether storing the refresh_token on disk in plaintext is a good idea. It can be used at any time to acquire a valid access_token for the microsoft account to the given scopes (XboxLive.signin)

[sammko]

FWIW MultiMC does store the refresh_token on disk.

[sammko]

Support in picomc play should be added.

[Fabian42]

Is this issue related to not being able to chat in 1.19.1+ or should I create a new issue for that?

[sammko]

Have you used the prototypepicomc account create --ms accountName functionality to log in? accountName can be anything, it's just for picomc to refer to the account.

[Fabian42]

Yes, I did. Everything else works fine, just chat encryption seems to not get initialised properly. To be fair, Vanilla also has a couple bugs with that, but those usually get resolved by restarting the game. PojavLauncher (on Android) has the same issue as picomc. I'm using picomc play, would picomc instance launch work? I can test that probably in ~1½ days, as well as giving you the exact error message, if you need it.

[sammko]

Did a quick test, don't seem to have any issues. After creating the account, you also need to authenticate it, using picomc account authenticate accountName. This will give you a device code and a link to the microsoft device auth flow. Chat should work after that.
It's a bit rough around the edges and that's why this issue is still open.

[Fabian42]

"Chat disabled due to missing profile public key. Please try reconnecting."

And yes, I went through that procedure, otherwise I wouldn't be able to connect to the server anyway.