Picture of Decentralized Auth

Decentralized Auth

Published July 12, 2022

With the announcement of Microsoft's controversial chat report system for Minecraft 1.19.1, the Minecraft community was outraged. Rightfully so - it's rather dystopian that chats sent in a server that you're hosting yourself could get you could locked out from every server, forever.

The #saveminecraft movement quickly sprang up in protest of the changes. A number of developers decided to take action, discovering exploits in the system to demonstrate that it was fundamentally flawed. Personally, I took a page from the open source software book:

If you don't like it, fork it!

Minecraft sadly isn't open source, but its modding community has developed the most impressive suite of reverse engineering and bytecode patching tools I've ever seen. Since the server and client both run on end user devices, Microsoft can't effectively prevent users from making extreme modifications to the game.

The chat reporting feature was tied to the session authentication provided by Microsoft's servers. I figured, if Microsoft is abusing the session authentication mechanism, why not rip it out entirely and replace it with something a little more user-respecting?

So, that's what I set out to do. I set up an official website, a Discord server (where most of the #saveminecraft protesters already were), a bridged version of that server on Matrix, and starting building and sharing my progress publicly. I highly recommend taking a look at the official website, but TL;DR:

Building out a community around one of my projects was a lot of fun, and the Discord server had over 100 members at one point. People were really excited about the project!

challenges along the way

As I poured more and more of my free time into Decentralized Auth, I began to recognize a few fundamental issues:

reverse engineering is not like FOSS

Minecraft is one of a very small handful of closed-source programs that I still run occasionally, just for the nostalgia of it. Although the community has made really freaking good reverse engineering tools, it's still painful to work with (or against!) them in edge cases.

As it turns out, messing with the authentication protocol is itself a major edge case. Most Minecraft mods change the UI or gameplay mechanics. Touching the auth parts is considered taboo in the modding community, even in circumstances like these. I was constantly fighting an uphill battle, one that wouldn't have been an issue had I been working on an open source codebase.

combinatorial platform explosion

I'd played around with Minecraft modding before, but never actually released anything for others until Decentralized Auth. As more Minecraft players became interested in the project, I started to receive more and more requests for support on different Minecraft versions, different server platforms, different client modding platforms, and even different proxies. Every platform needed a new source repository, started from scratch. Every Minecraft version needed to be maintained on a different branch of a particular platform's repo, often with significant changes involved in porting. Not to mention, if I ever decided to release multiple versions of Decentralized Auth itself, I'd have to port and rebuild them on all of these combos as well. Altogether, that's a huge support burden, one that I was not prepared to handle on my own. While I did manage to attract the attention of some other enthusiastic developers, it was never enough to handle all of this.

lack of upstream support

The major Minecraft proxy projects didn't expose any kind of extensibility for fundamental parts of the connection protocol like session authentication. Upstream support in server implementations like Bukkit would also have greatly simplified the architecture in several cases. And of course, it's a great way to share the burden of maintaining N different platforms.

I approached a number of developers of these modding platforms, attempting to garner interest in official support for Decentralized Auth. None of those developers felt comfortable with the idea. As I mentioned, touching auth parts wasn't a comfortable topic for these developers, and there weren't exactly a lot of examples of this new protocol being adopted in the wild already.

self-sustainability

If you create a useful open source project, you may be able to build a business around it, ensuring its continued existence and maintenance.

Many open source projects are funded by donations. I also think a decentralized blockchain-based account naming system (similar to ENS) would have been a great technical addition to the Decentralized Auth system, and it could even have been a good way to fund development.

But I felt it was important to fully release Decentralized Auth into the public domain and avoid even the appearance of making a profit from this project, due to the potential for legal action from Microsoft against a centralized entity. I wasn't trying to build a tool for piracy - just a way to keep the game license you legitimately paid for in the case of unfair moderation - but I'm sure some highly paid lawyers would have a great time framing me as a criminal!

Ultimately, that meant there was no prospect of self-sustainability for the project.

distribution

Forking and distributing a new, unofficial version of a client-server protocol is really tough. Servers won't adopt it if users won't use it, and clients won't adopt it if they can't join any servers with it.

I actually did manage to gather a few server admins who cared enough about the project that they'd committed to adding Decentralized Auth support to their servers when it was ready. But still, I don't think it would have organically gained broad adoption. Most users would probably only find out about Decentralized Auth if and when their account is unfairly banned, leaving it restricted to a handful of users who would start to advocate for it after it's already too late.

impact

I mean, it's a block game. Yes, it's a fun and nostalgic block game, but... surely I can make a more meaningful impact on the world by focusing my time and effort elsewhere?

the future

With all these challenges, I had to face the cold truth: Microsoft's changes were frustrating, but continuing development on Decentralized Auth would never bring me the resolution I wished for. With a heavy heart, I thanked the community members who put so much trust in the project and let them know it wasn't going to work out.

That's not to say Decentralized Auth will never be useful. There's a number of projects out there aiming to rebuild Minecraft from the ground up, but FOSS. If that sounds interesting to you, check out wiki.vg's list of alternative server and client implementations under development. A truly FOSS client/server stack will need its own authentication system independent from Microsoft, and Decentralized Auth might still be the right solution. And who knows - several years from now, maybe Microsoft will sunset the Minecraft authentication servers, and the community will need a new authentication system to keep playing the nostalgic block game they know and love.

I'd be honored if Decentralized Auth can be useful to any of these efforts.