Skip to content

Home

Jump to bottom
Christian Koop edited this page Apr 4, 2023 · 5 revisions

Mc-Auth uses the OAuth 2.0 protocol for authentication and authorization.

For an demonstration, have a look at the Demo Page and its code.

Using Mc-Auth (as a developer)

Authorize URI: GET https://mc-auth.com/oAuth2/authorize

Token URI: POST https://mc-auth.com/oAuth2/token

Simplified Mc-Auth Sequence Diagram

Example procedure

Please remember to set the following HTTP Headers when making your requests: Accept: application/json, User-Agent

Additionally, set the following HTTP Headers when making a POST request: Content-Type: application/json

  1. You need to obtain your client credentials from Mc-Auth.com/settings/apps.

  2. Redirect your user to Authorize URI from above and provide the following information as GET query arguments

    Name Description Required
    client_id Your client_id Mc-Auth.com/settings/apps Yes
    redirect_uri What URI should Mc-Auth redirect the user back to? Yes
    response_type The response_type according to OAuth 2.0 (Available: code, token) Yes
    scope A space separated list of scopes (Available: profile) No
    state An opaque value used by to maintain state between the requests. It SHOULD be used to prevent cross-site request forgery. No
    mcauth.username The username of the given user that can be used for auto fill No

    redirect_uri is added a code GET query argument when using response_type=code

    response_type=code is the recommended type for most applications.

    scope=profile tells Mc-Auth to send the public Minecraft profile, when exchanging the code for a token

    1. The user is now prompted to log into Mc-Auth (if not already), to verify its Minecraft identity.
    2. The user is provided some information about you OAuth App and can Accept or Deny your Authorization Request
    3. The user is redirected to redirect_uri

  3. If you've chosen response_type=code, you have to send it to Token URI from above with a JSON body

    Name Description Required
    client_id The client_id from Mc-Auth.com/settings/apps Yes
    client_secret The client_secret from Mc-Auth.com/settings/apps Yes
    code The code we've added as GET query argument when redirecting the user Yes
    redirect_uri The same URI as in step 2 Yes
    grant_type Has to be authorization_code Yes
    1. On success, the server replies with 200 OK and a JSON body. Example body: 
      {
  "access_token": "<The access_token>",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "profile",
  "state": "<The same value provided for `state` in step 2>",
  "data": {
    "uuid": "407b28ede7bd451693d93361fecb7889",
    "profile": {
      "id": "407b28ede7bd451693d93361fecb7889",
      "name": "Sprax2013",
      "properties": [
        {
          "name": "textures",
          "value": "<Base64 string>",
          "signature": "<Base64 string; signed data using Yggdrasil's private key>"
        }
      ]
    }
  }
}
    2. On failure, the server response with an HTTP error code and a JSON body. Example error body (400 Bad Request): 
      {
  "error": 400,
  "message": "Invalid code! expired? Wrong redirect_uri?"
}

Discord

Clone this wiki locally