Create example repository

[SpraxDev]

Create an extra repository containing examples in different languages/enviroments

Examples:

• Node.js
• PHP
• Java

[Paul2708]

Hey, I could implement an example in Java. However, I need additional information about the general process and the protocol used to communicate.

[SpraxDev]

That would be great! I've populated the Wiki with more detailed information: https://github.com/Mc-Auth-com/Mc-Auth/wiki.

Reach back to me if you've got some questions or if I forgot to mention something.

[Paul2708]

Hey, sorry for asking such a dumb question about OAuth 2.0 / HTTP in general because I haven't worked with it before.

Consider the following example:
Alice and Bob want to log into their SuperFancyApplication account. They choose Login via MC-Auth.
Both will be redirected to MC-Auth, join the server, fill in the code, hit Authorize (or Confirm, etc.) and will be redirected to redirect_uri?code=XXX.
Now, I have to match which code refers to whom, however, I will get two different HTTP requests. Therefore, I don't know which request belongs to Alice or Bob.

What am I missing?

[SpraxDev]

You've got two options for that:

1. You exchange the code for a token and together with the token, a 'data' field is sent (I believe that's actually agains OAuth specs - Added it as TODO Don't send 'data' when exchanging for a token #103). It contains the Minecraft uuid. If you've specified &scope=profile it will contain the whole profile sent by the Mojang API.
2. You use the state parameter to identify individual requests.

Normally, you'd have some kind of session management on SuperFancyApplication and don't care about who the code belongs to. You'd just assume that the code and the user-agent was not tempered (that's what the state argument is for) and assume that the token you've exchanged for the code belongs to that user.

That's how the server should respond when you successfully exchanged a code for an token (with scope=profile):

{
  "access_token": "<The access_token>",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "profile",
  "state": "<The same value provided for `state` in step 2>",
  "data": {
    "uuid": "407b28ede7bd451693d93361fecb7889",
    "profile": {
      "id": "407b28ede7bd451693d93361fecb7889",
      "name": "Sprax2013",
      "properties": [
        {
          "name": "textures",
          "value": "<Base64 string>",
          "signature": "<Base64 string; signed data using Yggdrasil's private key>"
        }
      ]
    }
  }
}

[Paul2708]

Alright, I got it!
Any preferences for the example? Spring, Javalin, general wrapper class, link between Discord and MC user, ...

[SpraxDev]

I'd say it's totally up to you as it is an example project. Creating another OAuth library specialized in Mc-Auth is nothing I would want to do but not everyone knows or has the time to learn how OAuth 2.0 works. That's the reason that I wanted some example projects :)