Authentication
Minecraft Alpha uses an entirely new authentication scheme, both for improved security and to (at least try to) prevent people from stealing the game. Take everything on this page with a grain of salt, as the protocol can change at any time.
The Old Launcher
The first step occurs as soon as you open the downloadable Minecraft launcher and attempt to login. The launcher will make a HTTP POST request to:
http://www.minecraft.net/game/getversion.jsp
with the postdata:
user=<username>&password=<password>&version=<launcher version>
with a "application/x-www-form-urlencoded" Content-Type header. The current launcher version is 12, sending a value lower than this will cause the server to return "Old Version" however you can send any large number and it will return as expected. If the login succeeded, it will return 4 ':' delimited values.
1281688214000:a348b469d915a40c9eebd2b9919c1a39:TkTech:8204407531530365141:
The first value is the current version of the game files (not the launcher itself). The second value is your download ticket and used to be required to fetch new versions of minecraft.jar from the server. The third value is your case-correct username. The fourth value is your session id and is required to connect to servers.
The New Launcher
The new launcher uses the same basic protocol as the old one, but at a different host and base address, and using HTTPS. The HTTPS query goes to the new address:
https://login.minecraft.net/
Requesting New Game Files
A download ticket used to be required to download a new version of minecraft.jar by making another HTTP GET request.
http://minecraft.net/game/minecraft.jar?user=<username>&ticket=<download ticket>
However, the new updates for the main program file do not require a download ticket and can be found at:
http://s3.amazonaws.com/MinecraftDownload/minecraft.jar
The other resource files for Minecraft are kept at:
http://s3.amazonaws.com/MinecraftResources/
Connecting To A Server
When you first attempt to connect to the server, you begin by sending the Handshake containing your case-sensitive username. The server will return one of three values: '-' for no authentication (in which case you can just continue joining), '+' for password protected or a hash if the server requires name authentication. Name verification is achieved by sending a HTTP GET request to the minecraft.net server:
http://www.minecraft.net/game/joinserver.jsp?user=<username>&sessionId=<session id>&serverId=<server hash>
If the server returns OK it's safe to continue joining the server, otherwise it'll disconnect you with an error message.
Verifying Name Authentication
The server will verify name authentication by making yet another HTTP GET request to minecraft.net:
http://www.minecraft.net/game/checkserver.jsp?user=<username>&serverId=<server hash>
The server hash is the same value that was sent to the client in the handshake. If the server returns YES then the client is authenticated and allowed to join. Otherwise the client will/should be kicked with “Failed to verify username!”.
Sample Implementation
This is a simple implementation of the authentication (client&server part) in POSIX shell. It needs the curl command line client for HTTP requests.
#!/bin/sh
user=$1
pass=$2
echo "Login..."
oldIFS="$IFS"
IFS=':'
set -- `curl -d "user=$user&password=$pass&version=9999" https://login.minecraft.net/`
IFS="$oldIFS"
if [ $# -ne 4 ]
then
echo "ERR: $@"
exit 1
fi
sid=$4
user=$3
hash=$RANDOM
echo "Now I'm the client ($user)..."
curl -L "http://www.minecraft.net/game/joinserver.jsp?user=$user&sessionId=$sid&serverId=$hash"
echo
echo "Now I'm the server..."
curl -L "http://www.minecraft.net/game/checkserver.jsp?user=$user&serverId=$hash"
echo