Microsoft Authentication Scheme

From wiki.vg
Revision as of 20:00, 7 December 2020 by MiniDigger (talk | contribs) (IDK what to add here)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Minecraft is moving to Microsoft accounts. Starting December 2020, all new Accounts already use the new system, old accounts will be migrated later, see this blog post

There are multiple steps and different token required, but in the end, you get a normal minecraft token back. Launching the game itself hasn't changed.


Microsoft OAuth Flow

In the first step, we are logging into the microsoft account. This has to be done in a browser/webview! Other redirect urls have not been tested. The client id is hardcoded, it's Minecrafts id.

https://login.live.com/oauth20_authorize.srf
 ?client_id=00000000402b5328
 &response_type=code
 &scope=service%3A%3Auser.auth.xboxlive.com%3A%3AMBI_SSL
 &redirect_uri=https%3A%2F%2Flogin.live.com%2Foauth20_desktop.srf

Example of the login page: https://i.imgur.com/gy8uKGs.png (TODO: embed image)

The user will be prompted to enter username (E-Mail, Skype ID, Phone number, whatever) and his password. If those are legal, the user will be redirected. The user doesn't need to own MC, that check comes way later!

The redirect will looks something like this

https://login.live.com/oauth20_desktop.srf?code=codegoeshere&lc=1033

You have to extract the code param, it's your Microsoft Authorization Code.

Authorization Code -> Authorization Token

The next step is to get a auth token from the auth code. This isn't done in the browser for security reasons.

POST https://login.live.com/oauth20_token.srf

Content:

Map<Object, Object> data = Map.of(
   "client_id", "00000000402b5328", // minecrafts client id again
   "code", authcode, // the code from step 1
   "grant_type", "authorization_code",
   "redirect_uri", "https://login.live.com/oauth20_desktop.srf",
   "scope", "service::user.auth.xboxlive.com::MBI_SSL"
);

Don't forget to set Content-Type: application/x-www-form-urlencoded

The response will look like this

{
  "token_type":"bearer",
  "expires_in":86400,
  "scope":"service::user.auth.xboxlive.com::MBI_SSL",
  "access_token":"token here",
  "refresh_token":"M.R3_BAY.token here",
  "user_id":"889ed4a3d844f672",
  "foci":"1"
}

We care about the access_token here. (TODO: check what we can do with the refresh token)

Authenticate with XBL

Now that we are authenticated with microsoft, we can authenticate to xbox live.

To do that, we send

POST https://user.auth.xboxlive.com/user/authenticate
{
   "Properties": {
       "AuthMethod": "RPS",
       "SiteName": "user.auth.xboxlive.com",
       "RpsTicket": "access_token" // your access token from step 2 here
   },
   "RelyingParty": "http://auth.xboxlive.com",
   "TokenType": "JWT"
}

Again, it will complain if you don't set Content-Type: application/json and Accept: application/json

The response will look like this:

{
  "IssueInstant":"2020-12-07T19:52:08.4463796Z",
  "NotAfter":"2020-12-21T19:52:08.4463796Z",
  "Token":"token", // save this
  "DisplayClaims":{
     "xui":[
        {
           "uhs":"uhs" // save this
        }
     ]
  }
}

We need to save token and uhs. I have no idea what uhs stands for. (TODO: find out)

Authenticate with XSTS

Now that we are authenticated with XBL, we need to get a XSTS token, we can use to login to minecraft.

POST https://xsts.auth.xboxlive.com/xsts/authorize