[Proposal] External authentication flow

[mochaaP]

As discussed in https://t.me/blessing_skin/176521

• Add an optional field (externalLogin / oauth / etc.) to metadata and specify whether to force external authentication
• If extra authentication is required, return an exception on plain login
• Client opens a new browser window, navigate to https://site.com/yggdrasil/oauth?client={clientToken}&callback=launcher://authlib-injector/callback and wait for user interaction
• a) Redirect to launcher://authlib-injector/callback?client={clientToken}&token={accessToken} / http://localhost:####/callback?client={clientToken}&token={accessToken} b) 1. Redirect to https://site.com/yggdrasil/oauth/complete?client={clientToken}&token={accessToken} (more semantic but one more request)
  2. Use a magic string for callback (e.g. oauth:{clientToken}) Then client polls https://site.com/yggdrasil/oauth/status?client={clientToken} for callback
• Client calls validate to and do remaining steps as usual

Scenario

• External authentication provider integration (Social login, SSO)
• 2FA

Issues

• Not exactly OAuth No scope, no application id
• Reimplementing it again in our specs e.g. Blessing Skin Server already have a great OAuth implementation
• Possibly bad integration with software developed specifically for the official Yggdrasil implementation, won't be able to login if only external authenticator is supported

Workarounds

• Use "App Passwords" aside returning accessToken Requires extra UI & logic
• Return a "auth string" (to separate the name with tokens) for password field all the time Consider again exposing tokens to end users

[tnqzh123]

Client calls refresh to validate token and do remaining steps as usual

Yggdrasil 有专门的 validate 接口，用来检查 accessToken 可用性的，doc

• Reimplementing it again in our specs e.g. Blessing Skin Server already have a great OAuth implementation

BS 自带的那个 OAuth 实现可能不是很适用于这个 proposal：它仍然需要 OAuth 应用开发者在皮肤站内创建应用（填写应用名称和 callback URL），然而你不可能指望启动器作者能在所有皮肤站都创建一个应用；而且 BS 的 OAuth 也不会返回可以用于 Yggdrasil 登录的 accessToken，也没有实现多角色选择之类的操作（当然这步可以考虑丢给启动器）

[mochaaP]

edited

[FLYEMOJ1]

Followed by Group: "LittleSkin Community Admins" Content:

1. 启动器使用 WebView2 或打包一套cef（认真的吗？）打开验证界面，并通过注册一个 scheme 接受内置浏览器的回调
2. 启动器打开系统浏览器，通过本地开启 websocket server 并在 URL 中传入 ws port 的方式，让浏览器通过 ws 投递登录消息
3. 提案中方案，但考虑到启动器可能是 portable 的，所以需要在启动器每次开启时注册一次 scheme 

[FLYEMOJ1]

Followed by Group: "LittleSkin Community Admins" Content:

1. 启动器使用 WebView2 或打包一套cef（认真的吗？）打开验证界面，并通过注册一个 scheme 接受内置浏览器的回调
2. 启动器打开系统浏览器，通过本地开启 websocket server 并在 URL 中传入 ws port 的方式，让浏览器通过 ws 投递登录消息
3. 提案中方案，但考虑到启动器可能是 portable 的，所以需要在启动器每次开启时注册一次 scheme 

个人觉得第二条启动系统浏览器这个方案可行 只因其他启动器验证Microsoft正版也为该方案。