X

NOTICE

Are you sure you want to report this?

A feedback area designed for scripting and mods suggestions and feedback. Please note bug reports and support issues will be removed.

12

Return XUIDs on the Mojang API or add game profiles to MSA (oAuth)

7 Comments

Post a new comment:

Please sign in to leave a comment.

Sorted by oldest
  • 1
    Moondog8627 commented
    Comment actions Permalink

    I've been writing a discord bot to allow minecraft players run limited rcon commands. Currently I verify them by sending an OTP to their players in game. Would be nice if I could verify them using a mojang oauth2 api instead

  • 1
    QUIQUELHAPPY commented
    Comment actions Permalink

    @Moondog8627 that's for sure, and it would be safer in case you decide to make it public, so no man-in-the-middle could affect the end result and verify players on their behalf.

  • 1
    squeegily commented
    Comment actions Permalink

    Is there really no current way through the XBL API for 3rd-party server and website operators to verify that a user owns a game?

  • 1
    QUIQUELHAPPY commented
    Comment actions Permalink

    @squeegily I did try using XBL, got it working, but sadly I was not able to exchange session tokens for Minecraft-related data. Still, an official way of doing it would be way better, as XBL is probably not really the ideal in terms of the legal part, aand... their server, yeah. they server have been soooo slow... It's really just not user friendly (so far)

  • 1
    QUIQUELHAPPY commented
    Comment actions Permalink

    This request has been mostly satisfied by Microsoft allowing custom non-official projects to hook into Minecraft's relying party! This means this is already possible. XUIDs are NOT returned, but Mojang UUIDs and usernames are (good enough!). If you want to learn how to implement this new oAuth flow, check out https://wiki.vg/Microsoft_Authentication_Scheme

    Thank you so much Microsoft and Mojang for allowing this type of login flow! I actuallly didn't expect the oAuth login flow being publicly accessible before account migration becoming fully finished.

    Keep up the good work migrating the old accounts.

  • 1
    Melly Dow commented
    Comment actions Permalink

    I was quite concerned to see that when they said you will keep your Java username it might mean we are stuck using the Old Mojang API outdated system. XUIDs could rid us of many username / UUID on Java based exploits that keep happening like Duplicate account invalid names or not being able to target users due to it. UUIDs are hard to obtain or know anyways as its not implicitly shown or taught in-game. With XUIDs you can just target their Xbox account and simply target them with a command that way and it will still function.

    I'm shocked they didn't ditch their old system just because users wanted to keep their names when they could just implement XUIDs and add a display name system so anyone can have whatever name they want, while still being able to target specific users as is standard in other name change systems in games.

    The Xbox Gamertags, Xbox profile, & Java account username all not matching only adds to the confusion and honestly it'd be better if they just used your Xbox live name anyways for recognizability; you have to keep track of 3 names now instead of just 2 as well as two different UUID systems (Java UUIDs and Bedrock/Xbox XUIDs).

    While the AUTH does work now with tokens, I still think this will only create more confusion down the road because the edition divide.

  • 1
    Melly Dow commented
    Comment actions Permalink

    This also causes problem for old servers running outdated plugins that use usernames instead of UUIDs (or the coming XUIDs) so this creates more confusion and the potential for duplication, corruption, or just general bugginess and errors on the server-side about two users but they are actually 1. Would the server even recognize the player anymore? Would it give them their inventory from years ago or would it be wiped or unobtainable as the server doesn't know its them. The backwards compatibility of AUTH here with older versions of Minecraft will cause some things to break in legacy versions.

    Moondog8627

    That was also what worries me if they don't AUTH from the official Mojang endpoint. Token exploits have already existed for sessionIDs (which are still stored locally on system and even have emails and passwords) which would seem unnecessary now.