mojira.dev

Simon Marti

Assigned

No issues.

Reported

MCL-1513 Access token gets invalidated after logging in on a different computer Cannot Reproduce MCL-862 Client token collisions can prevent players from logging in to servers Fixed

Comments

I did some more testing and found out that it only happens when using the (optional?) agent field:

Login with first client

curl https://authserver.mojang.com/authenticate --data-binary '{"clientToken":"1","username":"[email protected]","password": "*****","agent":{"name":"Minecraft","version":1}}' -H "Content-Type: application/json"
{"accessToken":"c7e61ccbe6d3444db4506224b260a491","clientToken":"1","selectedProfile":{"id":"********************************","name":"sadimusi"},"availableProfiles":[{"id":"********************************","name":"sadimusi"}}

Login with second client

curl https://authserver.mojang.com/authenticate --data-binary '{"clientToken":"2","username":"[email protected]","password": "*****","agent":{"name":"Minecraft","version":1}}' -H "Content-Type: application/json"
{"accessToken":"17aca929de854990836aae6f6f0ac8ba","clientToken":"2","selectedProfile":{"id":"********************************","name":"sadimusi"},"availableProfiles":[{"id":"********************************","name":"sadimusi"}}

Validate second client's access token

curl https://authserver.mojang.com/validate --data-binary '{"accessToken": "17aca929de854990836aae6f6f0ac8ba"}' -H "Content-Type: application/json"

Validate first client's access token

curl https://authserver.mojang.com/validate --data-binary '{"accessToken": "c7e61ccbe6d3444db4506224b260a491"}' -H "Content-Type: application/json"
{"error":"ForbiddenOperationException","errorMessage":"Invalid token"}

I'm pretty sure the system worked the way you're describing it at some point in the past, but somehow that changed. The issue was discovered by a developer (dividuum) who was playing around with mc4p's authentication module (which uses a random client token), but I was able to reproduce it with vanilla clients (with different client tokens).

As we discussed on IRC, the real issue here is that only access tokens of the same account should be invalidated when logging in with an identical client token. According to my testing this is however not the case.

Steps to reproduce

Login as sadimusi

curl https://authserver.mojang.com/authenticate --data-binary '{"clientToken":"123","username":"[email protected]", "password": "*****"}' -H "Content-Type: application/json"
{"accessToken":"5abf8027e9e549af9c1d551d21f9c559","clientToken":"123"}

Login as D0L4

curl https://authserver.mojang.com/authenticate --data-binary '{"clientToken":"123","username":"D0L4", "password": "*****"}' -H "Content-Type: application/json"
{"accessToken":"4b6205354c5a4903a6c16c5b38d5d79a","clientToken":"123"}

Validate D0L4's access token

curl https://authserver.mojang.com/validate --data-binary '{"accessToken": "4b6205354c5a4903a6c16c5b38d5d79a"}' -H "Content-Type: application/json"

Validate sadimusi's access token

curl https://authserver.mojang.com/validate --data-binary '{"accessToken": "5abf8027e9e549af9c1d551d21f9c559"}' -H "Content-Type: application/json"
{"errorMessage":"Invalid token","error":"ForbiddenOperationException"}