Difference between revisions of "Talk:Legacy Mojang Authentication"

From wiki.vg
Jump to navigation Jump to search
Line 34: Line 34:
  
 
You must add ''''requestUser':true''' to the request when your are authenticating an user or refreshing an access token.
 
You must add ''''requestUser':true''' to the request when your are authenticating an user or refreshing an access token.
 +
 +
== How to see what the vanila launcher does with the authoritation data ==
 +
 +
The vanilla launcher also talks using these server, but sometimes its usefull to see how vanila interacts with authserver.mojang.com to debug the process of your own launcher.
 +
 +
The following code looks at the traffic between authserver.mojang.com and the local vanila client (the minecraft.jar downloaded from minecraft.net) and prints out the raw http contents inside the https stream.
 +
 +
Use it only for debugging purposes, do NOT include it into malware minecraft launchers:
 +
 +
https://gist.github.com/ferrybig/bab8c6f737be5f63189c
 +
 +
Using this class I discovered that vanila uses "requestUser":true to get more information about the user, including the switch access token. All information discovered by this can be useful to put into the main page.

Revision as of 13:57, 16 November 2014

New Base URL

Since the new base url used for authentication is https://login.minecraft.net/ does that mean it would use https://login.minecraft.net/getversion.jsp or https://login.minecraft.net/game/getversion.jsp ?

The URL is just "https://login.minecraft.net/". Post straight there with the content "user=...&password=...&version=..." (without quotes). ~ Ribose · 19:29, 20 October 2011 (MST)

New auth response?

I'm now seeing the auth server respond with (in the HTTP body) the following: "2\r\nOK\r\n0\r\n\r\n" (interpret that as a C string). Anyone seen different, or have any insights?

--Huin 15:19, 20 November 2011 (MST)

What URL specifically? Barneygale 05:44, 21 November 2011 (MST)
Sorry - should have said: http://session.minecraft.net/game/joinserver.jsp?user=XXXX&sessionId=XXXX&serverId=XXXX I was having trouble with my implementation of the minecraft server (ChunkyMonkey), and decided to sniff the traffic that the official server was sending, and got the above. --Huin 12:19, 21 November 2011 (MST)
Just realised that that was probably the client. I'm gonna run another packet sniff. --Huin 12:21, 21 November 2011 (MST)
So the URL I was really interested in was the checkserver one, i.e /game/checkserver.jsp?user=XXXX&serverId=XXXX - for which the response is quite similar: "3\r\nYES\r\n0\r\n\r\n" --Huin 12:46, 21 November 2011 (MST)
So this is actually HTTP chunking. See how you've got a Transfer-Encoding: chunked header? [1] Barneygale 09:08, 22 November 2011 (MST)
Facepalm. Yep. That'll be it. --Huin 12:12, 22 November 2011 (MST)

Signature in textures

The base64 in the "signature" section of "textures" is base64; it's just data signed with Yggdrasil's private key and is verified with a SHA1withRSA public key.

Source: Signature signature = Signature.getInstance("SHA1withRSA"); signature.initVerify(publicKey); signature.update(this.value.getBytes()); return signature.verify(Base64.decodeBase64(this.signature));

Comes from Property.java in the Yggdrasil Authlib.

Obtaining Twitch Access Token

You must add 'requestUser':true to the request when your are authenticating an user or refreshing an access token.

How to see what the vanila launcher does with the authoritation data

The vanilla launcher also talks using these server, but sometimes its usefull to see how vanila interacts with authserver.mojang.com to debug the process of your own launcher.

The following code looks at the traffic between authserver.mojang.com and the local vanila client (the minecraft.jar downloaded from minecraft.net) and prints out the raw http contents inside the https stream.

Use it only for debugging purposes, do NOT include it into malware minecraft launchers:

https://gist.github.com/ferrybig/bab8c6f737be5f63189c

Using this class I discovered that vanila uses "requestUser":true to get more information about the user, including the switch access token. All information discovered by this can be useful to put into the main page.