Back to minecraftBack to minecraft.net

A feedback area designed for scripting and mods suggestions and feedback. Please note bug reports and support issues will be removed.

← Scripting and Mods
19
Follow

Return XUIDs on the Mojang API or add game profiles to MSA (oAuth)

As it has been recently announced, the existing Minecraft Java Edition accounts will be slowly ported to the Xbox Live platform. This is amazing, as it will improve security and centralize account management. With this new announcement I was hyped, since this change might finally offer a long requested feature, oAuth login. Since you can get the Xbox Live profile data using MSA, a login-to-verify system can be easily coded, allowing server owners to give players the options to login to their server websites using their linked Microsoft account. This is amazing as it would be the first time account verification can be done without an untrusted third party service (so far, most services use a technique that requires players to login to an auth server and enter a code).

Minecraft Bedrock Edition usernames are matching gamertags on the Xbox Live platform. Since there is a huge number of Mojang accounts, Minecraft Java Edition usernames won't probably match Xbox gamertags, creating an username and gamertag mismatch that might raise problems when using MSAL. I've thought about two solutions to this problem so far. Neither of these are already implemented on MSA or Mojang's API, that's why I'm creating a feature request.

  • Returning XUID or gamertag on Mojang's API /profile/ endpoints
  • Returning a 'game profile' object on the MSA service including individual game usernames or IDs

EDIT: It is working now (for UUIDs and Usernames [NOT XUIDS]), Yay!

Avatar
Registered User shared this idea

6 Comments

Please sign in to leave a comment.

Sorted by oldest
  • 1
    Registered User commented
    Comment actions Permalink

    I've been writing a discord bot to allow minecraft players run limited rcon commands. Currently I verify them by sending an OTP to their players in game. Would be nice if I could verify them using a mojang oauth2 api instead

  • 1
    Registered User commented
    Comment actions Permalink

    @Moondog8627 that's for sure, and it would be safer in case you decide to make it public, so no man-in-the-middle could affect the end result and verify players on their behalf.

  • 1
    Registered User commented
    Comment actions Permalink

    Is there really no current way through the XBL API for 3rd-party server and website operators to verify that a user owns a game?

  • 1
    Registered User commented
    Comment actions Permalink

    @squeegily I did try using XBL, got it working, but sadly I was not able to exchange session tokens for Minecraft-related data. Still, an official way of doing it would be way better, as XBL is probably not really the ideal in terms of the legal part, aand... their server, yeah. they server have been soooo slow... It's really just not user friendly (so far)

  • 1
    Registered User commented
    Comment actions Permalink

    This request has been mostly satisfied by Microsoft allowing custom non-official projects to hook into Minecraft's relying party! This means this is already possible. XUIDs are NOT returned, but Mojang UUIDs and usernames are (good enough!). If you want to learn how to implement this new oAuth flow, check out https://wiki.vg/Microsoft_Authentication_Scheme

    Thank you so much Microsoft and Mojang for allowing this type of login flow! I actuallly didn't expect the oAuth login flow being publicly accessible before account migration becoming fully finished.

    Keep up the good work migrating the old accounts.

  • 0
    Registered User commented
    Comment actions Permalink

    Letting users login to your app using the "Authentication Scheme" way using microsoft oauth generates a token which can be used to login to the game and that token is shared with the website or am i missing something? This is way too much access granted to an app that should not be able to login to the game but rather only needs to retrieve the uuid of the logged in user…