Talk:Authentication

New Base URL
Since the new base url used for authentication is https://login.minecraft.net/ does that mean it would use https://login.minecraft.net/getversion.jsp or https://login.minecraft.net/game/getversion.jsp ?


 * The URL is just "https://login.minecraft.net/". Post straight there with the content "user=...&password=...&version=..." (without quotes). ~ Ribose  ·  19:29, 20 October 2011 (MST)

New auth response?
I'm now seeing the auth server respond with (in the HTTP body) the following: "2\r\nOK\r\n0\r\n\r\n" (interpret that as a C string). Anyone seen different, or have any insights?

--Huin 15:19, 20 November 2011 (MST)


 * What URL specifically? Barneygale 05:44, 21 November 2011 (MST)


 * Sorry - should have said: http://session.minecraft.net/game/joinserver.jsp?user=XXXX&sessionId=XXXX&serverId=XXXX I was having trouble with my implementation of the minecraft server (ChunkyMonkey), and decided to sniff the traffic that the official server was sending, and got the above. --Huin 12:19, 21 November 2011 (MST)
 * Just realised that that was probably the client. I'm gonna run another packet sniff. --Huin 12:21, 21 November 2011 (MST)
 * So the URL I was really interested in was the checkserver one, i.e /game/checkserver.jsp?user=XXXX&serverId=XXXX - for which the response is quite similar: "3\r\nYES\r\n0\r\n\r\n" --Huin 12:46, 21 November 2011 (MST)
 * So this is actually HTTP chunking. See how you've got a  header?  Barneygale 09:08, 22 November 2011 (MST)
 * Facepalm. Yep. That'll be it. --Huin 12:12, 22 November 2011 (MST)

Signature in textures
The base64 in the "signature" section of "textures" is base64; it's just data signed with Yggdrasil's private key and is verified with a SHA1withRSA public key.

Source: Signature signature = Signature.getInstance("SHA1withRSA"); signature.initVerify(publicKey); signature.update(this.value.getBytes); return signature.verify(Base64.decodeBase64(this.signature));

Comes from Property.java in the Yggdrasil Authlib.

Obtaining Twitch Access Token
You must add 'requestUser':true to the request when your are authenticating an user or refreshing an access token.

Example request and response for requestUser have been added to the Article. The supplied Twitch token is an OAuth token that can be used to directly communicate with the Twitch API. (e.g. https://api.twitch.tv/kraken?oauth_token=...) So unlike preferredLanguage the twitch_access_token parameter has sensitive information that should not be shared or published in crash logs. I don't know where the the value for preferredLanguage can be set. For my account it is set to de, which makes sense since I'm from Germany. I probably somewhere selected German when registering my Mojang/Minecraft account in March 2016. It looks like older accounts don't have this attribute. I know some people have it set to en and I assume there are many other language codes possible (ISO 639-1). --P schneider (talk) 18:52, 10 August 2016 (UTC)

How to see what the vanila launcher does with the authoritation data
The vanilla launcher also talks using these server, but sometimes its usefull to see how vanila interacts with authserver.mojang.com to debug the process of your own launcher.

The following code looks at the traffic between authserver.mojang.com and the local vanila client (the minecraft.jar downloaded from minecraft.net) and prints out the raw http contents inside the https stream.

Use it only for debugging purposes, do NOT include it into malware minecraft launchers:

https://gist.github.com/ferrybig/bab8c6f737be5f63189c

Using this class I discovered that vanilla uses "requestUser": true to get more information about the user, including the Twitch access token. All information discovered by this can be useful to put into the main page.