MS Auth Flow

Required setup

1. Team owner creates a client with /client/apps.
2. Team owner enables module with /client/apps/:client_id/modules/ms-auth.
3. Client backend stores client_id + client_secret securely.

Full flow

1. Client starts auth via /client/ms-auth/start.
2. Axolite returns auth_url and auth_request_id.
3. User signs in on Microsoft page.
4. Microsoft redirects to Axolite callback /client/ms-auth/callback.
5. Axolite fetches Minecraft profile and waits for consent.
6. User confirms consent via /client/ms-auth/authorize.
7. Client polls status with /client/ms-auth/poll.
8. Client validates session with /client/ms-auth/session/validate.

Consent text requirements

Your consent page should clearly state:

• Minecraft profile (mc_uuid, mc_username) is processed.
• Axolite session token is issued for login validation.
• User agrees to your terms and privacy policy.

Security checklist

• Keep client_secret on server only.
• Use short polling intervals with timeout (2-3s, max 60s).
• Treat axolite_session_token as bearer credential.
• Validate session token immediately before establishing app login.