Does PrismLauncher publish its Microsoft OAuth API keys?

[please-enter-a-username]

I'm literally new to this, I just know about the existence and story of PolyMC and PrismLauncher.
I'm not here to argue or fight, I just wanna know the truth and keep my Microsoft account safe.
I don't mean to offense anyone, sorry in advance.

I've read https://prismlauncher.org/wiki/overview/faq/

I don't understand why community believe it's wrong for MultiMC developers to not offer the API key.

Does PrismLauncher offers it's API key now?
How does this affects the safety of users' Microsoft account?

What really makes the community decide they need a fork from MultiMC, and then created PolyMC?

I already understand why community created PrismLauncher out of PolyMC, please don't fight around this topic, it's not what I'm eager to know, thank you people.

BTW, I have done a search for similar discussions:

[TayouVR]

the MSA client ID is a ID registered by one of the maintainers here. And it tells microsoft, who (which program) is requesting access to the account.
This client ID is not a confidential part of your login details. Its not a auth token, password or in any other way related to your accounts safety.

you can see the Client ID we use here:
https://github.com/PrismLauncher/PrismLauncher/blob/develop/CMakeLists.txt#L251-L260

# API Keys
# NOTE: These API keys are here for convenience. If you rebrand this software or intend to break the terms of service
# of these platforms, please change these API keys beforehand.
# Be aware that if you were to use these API keys for malicious purposes they might get revoked, which might cause
# breakage to thousands of users.
# If you don't plan to use these features of this software, you can just remove these values.

# By using this key in your builds you accept the terms of use laid down in
# https://docs.microsoft.com/en-us/legal/microsoft-identity-platform/terms-of-use

I don't understand why community believe it's wrong for MultiMC developers to not offer the API key.

when not offering the API key, that means, that any development on the project is significantly harder to do, as any developer needs to give their full legal details to microsoft to obtain their own API key, which is a complex and arduous process. It also means any distributor (e.g. 3rd party packagers) need to do the same. This added complexity is very anti-open-source.
Oh, there are also countries, where you cannot get a microsoft client ID at all, so those developers would be entirely unable to develop.

[DioEgizio]

also it's very difficult to get a key nowadays because there's an application process too. Even MultiMC that has long resisted adding oauth key to the src nowadays has it in the source code

[please-enter-a-username]

Thank you very much for your quick and accurate reply!

Based on the information you provided, I further studied the principles of OAuth 2.0 and PKCE, and also read Microsoft’s Terms of Service.

Unfortunately, I do not have the ability to read and understand program code, so I cannot check whether MultiMC or Prism uses the PKCE mode or not. I also could not find relevant results through online searches.

Based on my understanding so far, I would like to kindly ask you or any other helpful readers to judge whether my points are accurate, thank you!

1. The MSA Application ID and Display Name are all public information. (or is it?) Even if the author does not actively disclose them, they can still be obtained through reverse engineering.

2. If the community developers have the MSA App ID, it will becomes easier for them to test the changes they plan to submit, because this allows developers to login their accounts on locally compiled temporary testing builds.

3. If Prism does not use PKCE, its developers would need to maintain an online server to provide authorization services to clients, by using Access Credentials while keeping the Access Credentials secret. If these credentials are leaked, anyone could spoof their identity as Prism and trick Microsoft. However, I have not yet figured out what impact this would have on ordinary users' account security.

4. If Prism uses PKCE, then only if there is an impersonator using the same Application ID and Display Name, and the impersonator becomes widely distributed affecting many ordinary users’ Microsoft accounts (or in other cases Microsoft deems necessary), Microsoft may revoke this Application ID entirely. This would prevent both legitimate and fake clients from logging in. In this case, only the accounts of users using the fake client might be at risk, while the accounts of users using the official Prism client remain safe, although they would not be able to login until the next version update to change a new App ID.

[please-enter-a-username]

Even MultiMC that has long resisted adding oauth key to the src nowadays has it in the source code

Thank you for telling me!
I really don't have the ability to dig the code and discover this by myself.
It makes me happy to know that both MultiMC and PrismLauncher goes the secure way, just different community and different feature.

If the OAuth key means Application ID, I kinda understand why community developers thought MultiMC should provide its Application ID.

[please-enter-a-username]

wait i was wrong!

Prism uses devicecode login
(https://github.com/PrismLauncher/PrismLauncher/blob/develop/launcher/minecraft/auth/steps/MSADeviceCodeStep.cpp)

i should look further into this