Improved Microsoft OAuth Flow

[ReinforceZwei]

As discussed before, MSA sign-in process requires Microsoft Azure account. Without an Azure account, we will need to "steal" a client ID from other's. The redirect page was also restricted (i.e. we cannot make our own page).

To improve the sign-in process, I have registered an Azure account. This enables us to configure our own redirect URL and webpage to show after signing-in, instead of a blank page. We could add instructions on our redirect page to help user understand what to do next.

Although the example below is using my own domain for redirection, the next plan is to make use of the GitHub Page to host our webpage for redirection.

Azure oauth flow

1. Open link in browser and sign-in
   https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?client_id=54473e32-df8f-42e9-a649-9419b0dab9d3&response_type=code&redirect_uri=https%3A%2F%2Fmccteam.github.io%2Fredirect.html&scope=XboxLive.signin%20offline_access%20openid%20email&prompt=select_account&response_mode=fragment

2. Redirect to landing page with code after successful login
   Landing page can be controlled by us (e.g. a fancy webpage)

3. Copy code to MCC

4. MCC send POST request to the URL
   https://login.live.com/oauth20_token.srf

Body content type must be application/x-www-form-urlencoded

client_id=54473e32-df8f-42e9-a649-9419b0dab9d3&client_secret=MbH7Q~~UPIybhpAELRKMjSXO6Ar_9A5w-uUw5&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fmccteam.github.io%2Fredirect.html&code={code from step 3}

Redirect URL should be encoded

5. Receive access token + refresh token

6. Continue authenticate as before (Should be with xbox live this step)

Task to do:

• Modify current MSA sign-in code to use our own Client ID
• Optionally implement refresh token caching
• Make a fancy redirect page

[ORelio]

Good job! Maybe MCC could start a localhost web server for the duration of the login process so that the user is redirected back to MCC once logged in? Not sure if Azure would allow this.

[ReinforceZwei]

localhost server is allowed, but it will not work if MCC is not running on local machine such as VPS.

[ReinforceZwei]

There are two OAuth methods for getting Microsoft account access token, auth code grant and implicit grant. Both of them have their own pros and cons.

Method	Refresh Token	Require client secret	Require redirect page
auth code grant	Yes	Yes	Yes
implicit grant	No	No	No

Client secret has a maximum lifetime of 2 years, which mean we have to change the secret when it expired.

The lifetime of the refresh token is longer than access token (default is 90 days). If we could cache the refresh token, user will only have to sign-in once and will be kept signed-in for a long period of time, which is a huge advantage for the user.

@ORelio Which method would you consider?

[ORelio]

I never used neither of them, but after researching a bit, the auth code grant seems closer to the existing mechanism of Mojang api. Clients automatically generate a secret, and store session in the form of a refresh token to avoid re-logging everytime. Since session check happens again with auto-relog, maybe auth code grant, although more complex, would be more convenient because it minimizes the amount of login prompts? 🤔

[ReinforceZwei]

BTW Azure allows inviting user to become an administrator and assign role for managing application. @ORelio you can give me the email of your Microsoft Account if you want to join then I will invite you.

[ORelio]

Temporarily written it as a comment so you should find it in your email notifications.

[ReinforceZwei]

I cannot find the temporary comment you have mentioned in my mailbox. Would you mind sending it to my email [email protected]?

[ObscenityIB]

localhost server is allowed, but it will not work if MCC is not running on local machine such as VPS.

what about SSH tunneling in the case of a remote server
I use that to connect to a mysql daemon that disallows remote connections

[ReinforceZwei]

It might work if you can forward http request to the remote server using localhost:<some port> as the address.

[ObscenityIB]

Hows this going, build latest today, no auth cache so far, have to keep pasting the link over and over.
So a fix for that would save a lot of pain.

[ReinforceZwei]

I was thinking to implement refresh token caching together in PR #1827. Maybe I'll do that in a separated PR and merge that first.

[ObscenityIB]

Nice, tested and works great, cache works, and even the browser opens over X11.

Now I just need to figure out why every server i try says unable to ping ip.