mojira.dev

Simon Marti

Assigned

No issues.

Reported

MCL-1513 Access token gets invalidated after logging in on a different computer Cannot Reproduce

Comments

I did some more testing and found out that it only happens when using the (optional?) agent field:

Login with first client

curl https://authserver.mojang.com/authenticate --data-binary '{"clientToken":"1","username":"[email protected]","password": "*****","agent":{"name":"Minecraft","version":1}}' -H "Content-Type: application/json"
{"accessToken":"c7e61ccbe6d3444db4506224b260a491","clientToken":"1","selectedProfile":{"id":"********************************","name":"sadimusi"},"availableProfiles":[{"id":"********************************","name":"sadimusi"}}

Login with second client

curl https://authserver.mojang.com/authenticate --data-binary '{"clientToken":"2","username":"[email protected]","password": "*****","agent":{"name":"Minecraft","version":1}}' -H "Content-Type: application/json"
{"accessToken":"17aca929de854990836aae6f6f0ac8ba","clientToken":"2","selectedProfile":{"id":"********************************","name":"sadimusi"},"availableProfiles":[{"id":"********************************","name":"sadimusi"}}

Validate second client's access token

curl https://authserver.mojang.com/validate --data-binary '{"accessToken": "17aca929de854990836aae6f6f0ac8ba"}' -H "Content-Type: application/json"

Validate first client's access token

curl https://authserver.mojang.com/validate --data-binary '{"accessToken": "c7e61ccbe6d3444db4506224b260a491"}' -H "Content-Type: application/json"
{"error":"ForbiddenOperationException","errorMessage":"Invalid token"}

I'm pretty sure the system worked the way you're describing it at some point in the past, but somehow that changed. The issue was discovered by a developer (dividuum) who was playing around with mc4p's authentication module (which uses a random client token), but I was able to reproduce it with vanilla clients (with different client tokens).