Siggi
Assigned
Reported
Comments
It is not caused by having Bedrock on your account, it's caused by having specifically PlayStation linked to your account. Other Bedrock platforms don't cause this issue.
I don't think this will be fixed until morning in Sweden (since that's where Mojang is) at the very earliest. Just get your friends to upvote this bug and Mojang will see it first thing in the morning.
Not many people have Minecraft on both console and PC. I wonder how long it'll take for Mojang to notice this problem. I literally only use PS4 Bedrock Edition to test gameplay on my server as a console user. Quite annoying that because of that I can't log into my server on Java.
It seems Microsoft Login for PSN is completely broken, and it might be affecting Java Edition as well if you use the same Microsoft Account. I just signed out of Microsoft Account on my PS4 and cannot sign back in as it says the account is already linked to a different PSN account even though I just removed it from the PSN account I'm on right now.
@iRGX this only started today, it was working fine for me last night.
As @xSakieru mentioned being linked to PSN this may be the case but I cannot verify that unlinking PSN mitigates the issue because the ability to unlink Microsoft Account from PSN is also broken.
Below might be inaccurate, as I've checked another account that does work and it does indeed have the flags token, but the other account I tested does not have psnid. It could be that being linked to PlayStation might cause Java Edition to stop working?
------------------------
TL;DR: "flags" was added to JWT token, and I suspect this is causing the auth server to throw an exception when validating the JWT token.
------------------------
Perhaps a backend server is throwing an exception when it sees an unexpected new item in the JWT token.
An old JWT token that worked for me in the past (although it is expired now)
eyJraWQiOiJhYzg0YSIsImFsZyI6IkhTMjU2In0.eyJ4dWlkIjoiMjUzNTQ0NDIyNTY5NzQ5NCIsImFnZyI6IkFkdWx0Iiwic3ViIjoiZjMxMTgwOGEtZTUwZC00NDgxLWI2ZjEtOTg4M2ZlZGY0Nzk1IiwiYXV0aCI6IlhCT1giLCJucyI6ImRlZmF1bHQiLCJwc25pZCI6Ijg4NjgxOTcyMDE1MTYwNjM1NjgiLCJyb2xlcyI6W10sImlzcyI6ImF1dGhlbnRpY2F0aW9uIiwicGxhdGZvcm0iOiJQQ19MQVVOQ0hFUiIsInl1aWQiOiJjYTYyOTRjMzg5MTg0YmFmYjdjYzI0ZjI5ODQxMjMyMCIsIm5iZiI6MTY3OTIyMDc1MCwiZXhwIjoxNjc5MzA3MTUwLCJpYXQiOjE2NzkyMjA3NTB9.<redactedsignature>
The its decoded payload:
{ "xuid": "2535444225697494", "agg": "Adult", "sub": "f311808a-e50d-4481-b6f1-9883fedf4795", "auth": "XBOX", "ns": "default", "psnid": "8868197201516063568", "roles": [], "iss": "authentication", "platform": "PC_LAUNCHER", "yuid": "ca6294c389184bafb7cc24f298412320", "nbf": 1679220750, "exp": 1679307150, "iat": 1679220750 }
And the JWT token I have now:
eyJraWQiOiJhYzg0YSIsImFsZyI6IkhTMjU2In0.eyJ4dWlkIjoiMjUzNTQ0NDIyNTY5NzQ5NCIsImFnZyI6IkFkdWx0Iiwic3ViIjoiZjMxMTgwOGEtZTUwZC00NDgxLWI2ZjEtOTg4M2ZlZGY0Nzk1IiwiYXV0aCI6IlhCT1giLCJucyI6ImRlZmF1bHQiLCJwc25pZCI6Ijg4NjgxOTcyMDE1MTYwNjM1NjgiLCJyb2xlcyI6W10sImlzcyI6ImF1dGhlbnRpY2F0aW9uIiwiZmxhZ3MiOlsidHdvZmFjdG9yYXV0aCIsIm9yZGVyc18yMDIyIl0sInBsYXRmb3JtIjoiUENfTEFVTkNIRVIiLCJ5dWlkIjoiY2E2Mjk0YzM4OTE4NGJhZmI3Y2MyNGYyOTg0MTIzMjAiLCJuYmYiOjE2ODMwMjk4MzcsImV4cCI6MTY4MzExNjIzNywiaWF0IjoxNjgzMDI5ODM3fQ.<redactedsignature>
The its decoded payload:
{ "xuid": "2535444225697494", "agg": "Adult", "sub": "f311808a-e50d-4481-b6f1-9883fedf4795", "auth": "XBOX", "ns": "default", "psnid": "8868197201516063568", "roles": [], "iss": "authentication", "flags": [ "twofactorauth", "orders_2022" ], "platform": "PC_LAUNCHER", "yuid": "ca6294c389184bafb7cc24f298412320", "nbf": 1683029837, "exp": 1683116237, "iat": 1683029837 }
Note how the latest token has a new item called "flags" perhaps a backend server is throwing an exception when it sees this unexpected new item. I also tested with other accounts and for the ones that get a JWT token without a "flags" item they can log in without issues.
It can't be a dupe of a bug from 3 years ago though? I have the exact same problem right now!
This is still a problem in March 2023.
I have to agree that the signing delay is not acceptable.
As I've mentioned before in a comment on MC-253521, a lot of people never read anything important. What can you expect in an era where nobody likes to read anything anymore? Especially in video games, people just want to get into the action. It's the reason why modern games teach you how to play the game through in-game tutorials instead of giving you an instruction manual that you have to read through before playing. It's the reason why when a player is looking for a new server to join, they look for screenshots and not large amounts of text. Is this tutorial going to be a hard one where you've only completed the tutorial after your first ban? Maybe the warning should be a diagram instead.
Maybe this is better than the purely text warning. More people will actually get it at least. It still doesn't cover people who speak other languages though, especially since a lot of Minecraft is machine translated into other languages if I'm not mistaken.
[media]I understand a lot of large companies rely on users not actually reading the Terms of Use in order to screw them over, for example, when you forced people to migrate to Microsoft accounts, for a lot of people it didn't even cross their minds that they would be required to be bound by Xbox and Microsoft's Terms of Use just to play a game they've been playing for over a decade. But at what point is it too much? Telling people they are responsible not for what they typed, but are in fact responsible for what appears in the preview, crosses that line.
How are you going to handle people who type slowly? Their eyes might be focused on the keyboard the entire time (I've seen this many times in other people) while they type a lot slower than I do, and if it takes more than 200 ms from the time they hit the last character to the time they hit enter, it will sign the preview instead of what they typed?
Not to mention the fact that if someone has a typing speed that results in the time they take to hit the enter key to always be right around 200 ms, the system might start to feel a little broken with its inconsistent behaviour, with half of their messages showing up as "trusted" and the other half of their messages showing up as "tampered."
The whole point of signing in cryptography is to make it easy to prove something came from you. When you sign a Minecraft jar, you don't send the jar off to some preview agency, and sign what they give back to you, right? Or is that something you do? What if the preview agency injected malicious code into the jar? Would you still sign it and then distribute it to your users?
Don't sign the preview at all, only sign the originally typed message.
It does not specifically tell the player that what shows up in the preview will be attached to their name, and that they can get in trouble based on what shows up in the preview instead of what they actually typed.
Not to mention the amount of people who might click through that without even reading it. When's the last time you read the terms of service when you created an account on a website?
If you live in the European Economic Area you're probably bombarded with cookie consent popups. Do you even read those?
It does show up client-side but a player might not necessarily understand what the chat preview is.
So are you going to ignore the fact that a server owner can trick a player into signing an incriminating message? That's a valid problem, it's not a suggestion!
@cruikshj Normally, in Minecraft on PS4, you go to Settings -> Account -> Unlink Microsoft Account, but this is currently broken.