For those of you who hate fun, you can click here to skip it all.
Otherwise, lets take a little look at my pain and suffering and a bit of Microsoft
not validating their user’s input properly. If I had to say, this whole saga of me
increasingly disliking their changes/actions they are doing, I’d really have to be
the MSA requirement for Minecraft. I would at least say that long I have been
extremely frustrated with dealing with Microsoft. In fact, as of the publishing of
this article, I still haven’t migrated on my main account This is no longer true as the Yggdrasil decommissioning
date has already been surpassed.Flying_Stitchman
<- (the real og name).
Anyways, that is happening and I will be forced to migrate probably mid-end of August. I don’t trust their systems to be functional in a timely manner and will only push it as far as I’m comfortable. Also, I want to give at least a little time to make sure my account is not banned from what we will go over in the following paragraphs.
The Old Accounts
By a fate of chance, I created 2 Microsoft accounts when I was younger, both under
different emails and both had purchases on them. It is an unfortunate reality;
however, it looks as one that can only be solved by piracy (really trying to justify
its existence aren’t you monopolistic corporations). This for a while was not a
problem as I basically never logged into them or used the accounts. This changed
when the MSA requirement for Minecraft was introduced. See, on one of my accounts,
I had the good username FlyingStitchman. This was fine except for the fact the
only game I had on there was Halo: Spartain Assault (no, I don’t remember much about
it, might have to pirate it and play it later). On the other one with the burner
username (idk one of the default ones, I can’t be bothered to check), I had Sea of
Thieves. This created a problem where I now had 2 games on 2 separate accounts and
only one username I wanted to go under. I mean, not the largest problem in the world,
but at some point I was able to get the free Minecraft: Bedrock on my ‘burner’
account. This slightly complicated things as I now couldn’t put my main Minecraft
account there due to the fact I already had one.
So the logical conclusion, in my mind at least, was to merge the accounts. I could just smash all the games together and have my username, and then I could create a new account solely for my old Minecraft account. This way I’d be able to remove the account with the email I don’t use anymore. Little housekeeping is always nice. I mean, I must not being alone in wanting that, because Microsoft used to have an option to do so. It would merge all the items in two accounts or whatnot. See here:
Now I think this is particularly stupid of a decision, but tis Microsoft. Even governments have trouble moving it from the hills they want to die on. Since it had been a thing at one point, I did the dance through support, but obviously the sweatshop Indian workers had no power to actually do anything. Twas also startling how awfully difficult it was to talk to a real person.
The New Accounts
So by earlier this year, I was kinda just done, I wanted to have 1 new account that
starts clean with the username I want. I also was going to get Halo MCC because I
knew someone who wanted to play mods with me and I do want to play Halo. So I made
an account. At this point I am using my own email server, and despite the FIVE hard
captchas I was required to do, created it relatively easy. I transferred my username
from the FlyingStitchman account and also got Halo through steam. I then played
one single day of co-op. Was fun, but there was horrible latency, so twas annoying.
Apparently you can fix that by connecting over LAN, but I didn’t have the time to
do that because: Microsoft locked that account.
Yes the stupid ‘gib me your data plz 👉👈 uwu~’ had overtaken Microsoft. Apparently, if you enable 2FA right after creating your account, most people don’t get locked out, but otherwise it wants a phone to verify to ‘prove I’m human’ or something. This should be illegal. You cannot just remove access to a SINGLEPLAYER game someone has purchased; well, I mean I guess they can, but that doesn’t stop it being wildly anti-consumer and monopolistic.
You already know from reading this that I am absolutely not going to put my phone number in Microsoft’s system, so I immediately contacted Valve for a refund. Now, Valve, unlike Micro$#!%, actually has human customer support that you contact. They also actually resolve your issues instead of shifting you around through all the overseas underpaid workers with zero permissions to actually fix things. That was refunded quickly as usual with Valve. This, however, still leaves me in a bad situation. The gamertag I have been using for a decade is now stuck in a locked account.
Of course, I was going to try and get it back. Most people probably know of the websites that allow you to receive sms online. So yeah, not very original, but sometimes you don’t need to be. Unfortunately, by the time I had found a working number, Microsoft was like, “nah fam, we can’t be lettin ya do that here”. And told me that I would have to verify again in 2 weeks, refusing to let me back in. Of course, through all this time I was becoming progressively more frustrated, but I kept going.
Around this time, I also made another Microsoft account (up to 4 accounts nowwww). I didn’t trust the current ’new’ one, so I once again was starting clean. I didn’t do anything on it except enable 2FA. This was so I could sit and login a few times to make sure it didn’t try and lock me out again. So far, I haven’t had that happen so I think the 2FA fixing things theory works. That or they wait till you have attachment to the account before doing so.
After a little bit more of trying, I was able to unlock the first account. Twas an extremely frustrating time and really reinforces my decision to never give a cent to Microsoft again.
The Usernames
One of the first things I did after reinstating control over the locked account was
attempt to change the username to something random, freeing up FlyingStitchman for
use on the actual account I was keeping. You’d think something would be simple, but
never in the land of Micro$#!%. You see, they apparently decided sometime in 2019
that users were now limited to 12 character usernames. Like WHAT, who thought it was
a good idea to REDUCE the characters in a username. Obviously Microsoft. When I was
looking around a bit at this, I heard it has to do with the 16 character max on
their authorization protocol, and that it allows for the ‘modern usernames’ which
are basically discord’s old usernames. Like sure, that is a good idea in theory, but
still allow longer ones, it is literally more effort to restrict that than not.
The funny thing is, apparently you can still claim 16 character usernames on the xbox 360. Now, I do have an xbox 360, but this would not be an interesting article if it was so simple. At some point, the power cable was lost, so I have no way to turn it on. Since I do have access to an xbox 1 power cable, I thought about modding that to supply power for my endeavours; but alas, I don’t have a cable that can provide 17A in the space requirement, so that had to be shelved for another time; back to the drawing board I guess.
I guess another thing I should mention is the fact I changed my locked account to
FlyingStitchman sometime around June of 2023, around 4 years after the changes were supposed to be in place. No clue how that worked, maybe I just had a bug at the right
time to be benefit me. Anyways, tis another sign of Microsoft’s glaring incompetence
when it comes to the field of games.
This, however, got me thinking. In theory, the reason xbox 360’s still work for longer usernames means that either an old name change endpoint is still active or Microsoft never bothered to check if the name submitted was within their character limit. I mean, I truly, from the bottom of my heart understand. To waste such an effort to safeguard a policy that only hurts everyone involved. With this, my first thought was to see if I could auth on wayback machine where the character-limiter had yet to be programmed. I actually got relatively far on this; going as much as to actually log in on a 2018 version of microsoft.com. I got stuck from there, none of the pages behind the login were saved. Now, in theory, I didn’t even need to use the wayback machine. I could have just de-obfuscated the javascript running on the current website. If the theory that they are using the same gamertag change endpoint, there would be nothing stopping me from generating my own request. The problem with that is I don’t like web dev; well, at least the JS side of it.
Xbox-Webapi-Python
Well, in theory, tis possible; I’d assume someone else would have had the idea before me, and, while for slightly different purposes, I did find one. There is a repository called xbox-webapi-python from the OpenXbox group who are focused on documenting and providing basic scripts for all xbox api’s. Since this was made before the gamertag changes went live, it definitely was not made to work around Microsoft’s horrible decisions; but that was what I was going to use it for so, ¯\_(ツ)_/¯ ehh…
Anyways, the way you make these sorts of Oauth2 programs work is by registering a new application on Microsft’s Azure portal. You then create a client-secret and take the generated client-ID. These are used in the chain of authentication to show you are a certain program. This is how Microsoft knows what permissions over its api to give out. After giving it all the permissions, tis possible to auth to Microsoft and get an Oauth2 token. After that, just do a little bit of GET and POST requests with that in the header or something and Microsoft lets you use the api. Well, that is how it’s supposed to work anyway.
Because of the age of the project, compounded with the fact the creators never set versions for their dependencies, the thing kept breaking. I mean, kinda; it would stack trace after trying to complete the authentication script and complain about depreciated usage of functions. Unfortunately for me, that means I had to do a little fixing instead of just getting a free pass. It turned out that pydantic had bumped a major version at some point and was no longer
Downgrading pydantic was not hard due to the dependency calculator program that was in use by the program. I also figured out that something in the authentication script actually did work, it just crashed during output or something else, because when I checked, the token file was correctly downloaded even before using the fixed dependencies version; and, once I fixed the depends, It was able to update the oauth token.
With the token, that meant I was ‘cleared’ by Microsoft to do whatever I wanted. Not really, but that’s not going to stop me. The next thing was the gamertag change script as there luckily was already one made. I had some issues with incorrect string formatting, and correcting that slightly resulted in completing the script; although, it threw an exception on response time from Microsoft’s servers. I took this to mean something had changed since the gamertag changes update, but it ended up being some one-off error as when I checked the website, I had my old gamertag back.
Note: I realize now that the string issues were probably a python version issue caused by python 3.11 not being supported; although it does explicitly list it in the
pyproject.tomlfile.
One last parting word is that I was not able to get Microsoft to re-oauth me after changing the gamertag. I don’t know if that is a problem with the webapi-python, Microsoft blocking my specific application for abuse, blocking me for abuse, or me just being dumb. I hope it is just a me issue and that if someone in need finds this, they are able to change their gamertag back. I didn’t actually find any instance of someone using Microsoft’s api’s to change a gamertag over the 12 character limit, although that could be I’m just not looking in the right places.