Mojira Archive
MCL-21754

Microsoft Password change doesn't invalidate Minecraft/XBL tokens

Steps to reproduce:

  • Login to Minecraft Launcher
  • Change Microsoft Password
  • You can continue to play for ~ 16 days & there is no way to remotely logout of other locations

The XBL token you get when authenticating with Microsoft has a lifetime of 14 days, every day you can get a new XSTS token, which has a lifetime of 24 hours and then get a MC token which also will be valid for another 24 hours.

I know it's kinda impossible to invalidate JWT tokens, but imo it's still an issue, maybe the XBL token should have a shorter invalidation date or there should be other account checks when getting new tokens (e.g. last password change date).

Another workaround would be that the launcher always gets a new XBL token, but that would further increase the startup time and doesn't really solve the issue (technically and e.g. for third party launchers).

Unresolved

Niklas

2022-04-30, 06:38 PM

2024-08-26, 06:21 PM

7

8

Community Consensus

868938

2.3.240 (Windows) - 2.15.23 (Win 10/11)2.3.240 (Windows), 2.3.580 (New Windows App), 2.3.645 (New Windows App), 2.4.36 (Win 10/11 App), 2.4.69 (Win 10/11 App), 2.4.104 (Win 10/11 App), 2.4.104 (Legacy Windows), 2.11.24 (Win 10/11), 2.15.23 (Win 10/11)

-