headlessmc icon indicating copy to clipboard operation
headlessmc copied to clipboard

Published 20 hours ago verified publisher icon 3arthqu4ke

No 2FA support whatsoever

Open Alluseri opened this issue 1 year ago • 8 comments

Which might be a library issue, but there's also no ability to login through authtoken(or it's highly undocumented).

Alluseri avatar Nov 06 '23 04:11 Alluseri

What kinda Authtoken do you mean? The Minecraft one?

3arthqu4ke avatar Nov 13 '23 11:11 3arthqu4ke

What kinda Authtoken do you mean? The Minecraft one?

Yeah, that.

Alluseri avatar Nov 14 '23 03:11 Alluseri

The account gets stored in HeadlessMC/auth/.account.json:

{
  "type": "msa",
  "name": "3arthqu4ke",
  "id": "<id>",
  "token": "<token>",
  "refreshToken": "<refresh token>",
  "xuid": "<xuid>",
  "clientId": "<clientId>"
}

3arthqu4ke avatar Nov 14 '23 22:11 3arthqu4ke

The account gets stored in HeadlessMC/auth/.account.json:

{
  "type": "msa",
  "name": "3arthqu4ke",
  "id": "<id>",
  "token": "<token>",
  "refreshToken": "<refresh token>",
  "xuid": "<xuid>",
  "clientId": "<clientId>"
}

Alright, that will do it, thanks. Issue can be closed if you're not planning to seek a 2FA implementation.

Alluseri avatar Nov 17 '23 10:11 Alluseri

Thank you! I will keep it open, but idk when I will get around to do it.

3arthqu4ke avatar Nov 18 '23 10:11 3arthqu4ke

I think as of December 18th 2023, Minecraft has completely moved away from mojang accounts. Funnily, people who have the authenticator app connected to their Microsoft Account actually receive a request to accept the login. Unfortunately, headlessmc throws the error from #91 at the same time the request enters the auth app.

For people reading this and searching for a solution:

  • Go to your Microsoft Account (which you use to login to minecraft.net)
  • Make sure the password that you set is strong enough
  • Completely disable Two-Factor authentication and remove the AuthApp as a login method.

Disclaimer: Disabling Two-Factor is definitively not recommended and potentially puts your Microsoft Account at risk! (Fun Fact: Just noticed that i have daily login requests coming from china on my account)

Also, even after headlessmc manages to log in with your credentials and retrieving the token information, as soon as Two-Factor is reenabled the tokens become invalid again.

joshuademarco avatar Jan 15 '24 19:01 joshuademarco

For now you could also try login with the -webview option, but I can see this could be an issue if you have no screen available. You could login like that on your machine, then take the HeadlessMC/auth/.account.json and copy it onto the machine that you do not have a display for.

From what I have seen up to now, there is not really an API to do 2 factor auth with, to implement it I would need to automate the webview. I could imagine that something like that could be done with a Selenium like framework, e.g. jbrowserdriver.

3arthqu4ke avatar Feb 02 '24 01:02 3arthqu4ke

Too bad Microsoft OAuth only allows redirects to localhost(iirc), otherwise it'd be possible to just drop the user the link to OAuth and redirect it back to the server.

Alluseri avatar Feb 02 '24 18:02 Alluseri