I know that those old versions are "unsupported" but it would be really easy to implement a redirect. Some people really like these old versions.

I also own a beta server since quite some time, without the authentication servers griefers are just a plague without any viable solution for it, there is no way to ban someone from a server other than a ton of server-side duct-tape solutions involving tracking IPs, quering known vpn lists and etc.

It's a well known problem in the "old" minecraft community and it'd be nice to finally see a solution for it.

I would absolutely love this. I always get turned off by the idea of hosting because how easy hacking is. This would slow it down A LOT.

Work planned.

Does this mean it’s getting worked on? Since Mr. Wenlan Yang said “Work Planned” ?

I'm also curious since it looks like there is no activity at all.

Can we get any insight on when it might be looked into?

Would love to know if Mojang is still planning to do this so we can plan development.

Same. They really should...

We really need to know if this is going to happen, and if it is, when. There are loads of developers and server owners who need to plan around this. The lack of communication is appalling.

Thank you for all your patience!

Unfortunately we do not have ETA right now. Sorry about that.

Appreciate the response! Just wondering whether this is confirmation that this is being worked on.

@Ned Loynd It's definitely being worked on. I don't see why they would say "no ETA" if they were planning on just closing this issue without fixing it.

Can you guys please stop spamming 'bump'? It's spamming my E-Mails.

What @unknown said. Any "bump" comments will be removed. As @unknown said above, they don't have an ETA yet.

All we're wanting is communication. What's actually going on with this? I understand that with global situations at the moment most servers will be under higher than usual loads, and so are the workers whom may even be at home, but still communication is key here. Even a small update on the matter will suffice us, and even blow away speculations being made. 

If there's no ETA I doubt they even knowif they'd have any other plans.

I agree with what himblez has said regarding communication from Mojang. Most users I have talked to are concerned about how seriously Mojang takes issues on this site with some “critical” and “important” issues going for years without being resolved. We have been incredibly lucky to get a message from a Mojang employee considering many of these critical and important tickets go ignored. At the moment Wenlan Yang has stated “Unfortunately we do not have ETA right now. Sorry about that.”, however, that doesn’t sound like they have investigated or approved fixing this bug yet. I would personally love a clear response regarding if they “will look into it”, “will fix the issue” or “issue won’t be fixed” so we can plan for the future.

What do you mean? I thought these servers were permanently offline.

The DNS record for login.minecraft.net doesn’t even exist, so it couldn’t possibly work.

I don't know who "Samuel Fanson" is but they're absolutely right, the servers are dropping offline periodically. They're not permanently offline which makes this issue even more awkward. What's causing these servers to drop offline only at specific times of the day? I'd assume it's because of the heavy load servers must be under right now during peak times but who knows as we get told nothing lol.

Are we all talking about the same issue here? Like I said in my previous comment, login.minecraft.net doesn't work at all. That's the problem. Maybe session.minecraft.net doesn't work all the time, but that isn't the subject of this issue.

The subject of this issue is "old authentication servers for legacy additions are offline" as the title suggests. Which is exactly the problem I've been having, the old authentication servers, legacy, drop offline roughly around the same time everyday. 

I'm friends with the OP, and have discussed this issue with them at length. The authentication servers in question have been offline for years.

Then why was the post made? If they've been offline for years where's the issue as legacy servers still work and they're not running any third party authentication it's all done through Mojang, so where's the issue? Our issue is that those servers are periodically going offline everyday for, as of right now, no explained reason. Hell if I need to I'll make a new post but still?

The issue is that beta servers have to use third party plugins/software to authenticate players. We can't run our servers in online mode, because login.minecraft.net is down. That's why this post was made.

Samuel Fanson and Himblez your issue is not the same as this.

As Alex said this issue is for https://login.minecraft.net/session?name= and http://www.minecraft.net/game/joinserver.jsp?user= which has been shut down for a long time.

Mojang took those out of service for their newer authentication server http://session.minecraft.net/game/joinserver.jsp?user= meaning those old versions of the game don't have authentication at all.

Can't you discuss it via private E-mails or discord, you're spamming 53 users' inboxes.

For those who are still confused, let me clarify this. 

This ticket is regarding Alpha and Beta versions of Minecraft. Not release versions.

This ticket is not about post-beta releases of Minecraft as the Technic Launcher's team had incorrectly indicated in their post. Those login issues on older post-beta releases of Minecraft (such as 1.2.5) seem to have been fixed as of now.

Please only use comments for comments that contribute to understanding of the issue itself; bumping helps nobody. Also, if you do not wish to receive emails for comments, you can unwatch the issue; watchers and voters are separate counts for a reason.

This ticket is about certain authentication mechanisms not being implemented anymore. If your issue is related to an authentication method that is implemented, but sometimes is failing, then that's a separate issue and it should be reported (as far as I can tell, it has not been).

Note that I am neither a Mojang employee, nor an expert on the authentication mechanisms. My previous understanding was that both legacy authentication servers were already down and had been for a long time, but it seems that was wrong.

The reverse-engineered documentation on the authentication mechanisms is rather split, and can be found in wiki.vg's Legacy Authentication article and throughout history of Authentication, Session, and Protocol Encryption. I don't know where exactly the classic information is. Here's my attempt at listing everything and when it was used, based on that history (which does not precisely match the actual changes). Because it's already gotten quite late, I'm not going to focus on the login portion here (in any case, there is not much of a reason to support logging in with old versions of the launcher over an unencrypted connection; playing old versions of the game is more reasonable).

During Alpha, this information was relevant (range of sometime before 01:53, 25 October 2010‎ to 08:12, 20 January 2011‎). The client called http://www.minecraft.net/game/joinserver.jsp and the server called http://www.minecraft.net/game/checkserver.jsp.

In beta, it was noted on 21 Feburary 2011 that the new launcher does basically the same thing as the old one for logging in, except that it uses https://login.minecraft.net/ with HTTPS. On 14 September 2011, it was noted that http://session.minecraft.net/game/joinserver.jsp and http://session.minecraft.net/game/checkserver.jsp were in use (but I suspect this change happened earlier and was just not noticed). On 23 November 2011, the article was rewritten at Session, with an additional mention to https://login.minecraft.net/session as a keep-alive of some sort.

Around 8 August 2012, a UUID field was added to the login result, but not used for anything at the time.

12w17a introduced protocol encryption, using the serverId field in http://session.minecraft.net/game/joinserver.jsp and http://session.minecraft.net/game/checkserver.jsp as part of the process (I'm not completely certain on how this works, to be honest). There were apparently several encryption changes throughout development of 1.3.

1.6 introduced Yggdrasil (https://authserver.mojang.com), documented in the Authentication article again.

1.7 was when the session documentation switched from http://session.minecraft.net/game/joinserver.jsp and http://session.minecraft.net/game/checkserver.jsp to the current https://sessionserver.mojang.com/session/minecraft/join and https://sessionserver.mojang.com/session/minecraft/hasJoined. There have been other changes since then, but nothing that wasn't more or less backwards compatible.

And, as a table, here are the statuses to my understanding:

I feel the need to address @unknown's comment, too. This information is based on my understanding and may not be 100% correct:

Mojang has also for some reason erased all the server downloads for beta and alpha versions and some early release versions from their website and the minecraft launcher itself.

Please understand that, until around 1.6, the launcher did not allow you to select a version; it only updated to the latest version. The same was the case with the website; you couldn't choose which server version to download; instead, you could download the latest, and when snapshots came along, they were something you could download manually and replace your current minecraft.jar until the next update came out and overwrote it. At the time 1.6 released, a new launcher was released that allowed choosing versions. Most old versions were put into it, but Mojang didn't have all of the versions on hand, which is why many are missing. Effort is also needed to make older versions work with the launcher (see LegacyLauncher), including preparing a version JSON; I'm guessing this is why early snapshots are not included even though they are still downloadable from the original position. But, the point is, it's not like they had those versions on hand and chose to remove them; it was more poor archiving at the time.

By the way, its not like the old authentication servers straight up stopped working, Mojang shut them down for whatever reason.

There is a nonzero cost to maintaining the old servers. Simply trying to re-add old forms of authentication can lead to exploits (WEB-1900, for instance, was related to this), and they need to be maintained to use newer account infrastructure. In the context of the old launcher (and the applet embedded on the website), it was highly unlikely that anyone would use the previous session server after it had updated. Of course, now it's different.

https://bugs.mojang.com/browse/WEB-1995

Is not related _at all_ I don't know why it's on the list of potential duplicates.

I can confirm changing the URLs from just http://minecraft.net to https://session.minecraft.net/ fixes this issue. I wouldn't say this is an issue for Mojang Web Services, more of an issue for the Java Edition developers as they should fix all of the old client JAR files pre-release 1.0 so that requests are sent to:

https://sessions.minecraft.net/game/joinserver.jsp?user={USERNAME}&sessionId={TOKEN}&serverId={SERVER ID}

instead of:

http://minecraft.net/game/joinserver.jsp?user={USERNAME}&sessionId=TOKEN}&serverId={SERVER ID}

DoubleCheck – Your suggested solution is not possible. Mojang did not start Minecraft with source control (or else there would be no lost versions) & whatever source code they may have, it would not make sense to patch the hundreds of versions of Minecraft (which would change them to NOT be those versions by the way...) when they could instead just implement a single redirect.

The closest they could get to editing old jar files is further tweaks in LegacyLauncher (which IIRC is already used to make some patches to paths in those versions), but to my understanding that project isn't being worked on anymore (among other things, it's incompatible with Java 9). Fixing it on the web side is probably easier (and better for historic integrity) than recompiling a bunch of jars or trying to edit it in LegacyLauncher.

Hey Pokechu, while you're here I have a question; Is the web team bogged down with other issues, or is there something about this issue that makes it complicated to fix? I'm just wondering what's going on, because its been a while since we got an update.

I unfortunately don't have an answer; I don't know what the web team is working on currently. I think there have been a few changes to authentication somewhat recently though.

Well it was worth asking. Thank you, and have a good rest of your day.

I think this issue should be resolved as fast as possible.
I understand that Mojang probably doesn't care about older versions anymore, but if you have played
at least once on an Minecraft server that cant run in online mode or you are even a Mod on that server and you encounter a Griefer that's using alt accounts, you know how painful it is to try and ban those annoying and disgusting people.
It would really help out the community if this issue gets fixed.

Mojang could fix this issue by creating a new authentication service.
It wouldn't necessarily just be for login authentication, it could be for any type of problem that requires player-specific authorisation.

From Mojang's POV it would be used like this:

1. Someone requests authentication.

2. Mojang sends a random code that needs to be used (to identify this request).

3. A user logs in to "minecraft.net/auth" and then specifies the random code.

4. Mojang then sends the UUID of the player that authenticated itself to the original requestor.

Here is an example on how it could be used by alpha and beta minecraft server owners:

1. A player joins the server.

2. The server requests that the user needs to login to "minecraft.net/auth" and sends a random code that needs to be used.

3. The player then logs in and specifies the random code.

4. Then the server gets a response with information about the player that has logged in.

I think this would be a great addition to the Mojang API that isn't necessarily just for old minecraft servers.

@mrbengtsson

That wouldn't solve the issue. That would require the user to enter information into chat before being able to play. If we wanted that, we would just continue using AuthMe. We want real, seamless authentication. The only way that can be achieved is by bringing the old authentication servers back online, or making a new one that follows the same specification. That is what we want.

It's quite clear that they aren't going to bring the old authentication servers back online.

My solution would actually solve this issue (and more), the bukkit plugin AuthMe doesn't help with anything except protecting other players from joining with your name. This solution would help preventing players from using alt accounts, making it much harder for them. Instead of them just changing their name they would need to pay to buy another account. And it would also solve the issue of players changing their names, since we could fully switch to using UUID's instead of playernames making name switching seamless.

So in summary it fixes:

• Authentication

• Alt-accounts

• Name changing

• And probably more

The solution I proposed requires very little effort from Mojang, and solves several issues from our end.

I think this is exactly what we want.

Making a new authentication server following the old specification would be way easier. You could do it in an hour with a couple PHP scripts, and it wouldn't require any chat commands or tabbing out of the game.

And as a server owner who is very invested in this issue, I would much prefer that outcome. I know I can also speak on behalf of OP in that regard.

The headache and constant battle of offline-mode "requirement" and cracked accounts has not slowed down. Surely a company like Microsoft & Mojang do not enjoy the loss of profit, right?

Are we waiting for a full implementation of the Mojang account migration to Microsoft before this will be worked on? 

Maintaining servers indeed is a non-zero cost. However, I am sure it's not too complicated to spin up something in Azure and spend an hour of dev time to handle maybe a thousand "legacy" requests a day?

At least, can we get an update on this as it has been two years now? There are still thousands of dedicated players and a handful of devs in a cat and mouse game to compensate for the non availability of the auth servers and the shortcomings spawning from that. Thank you.

Really good idea. It would be nice if they just make redirection from old urls to new so servers and clients can work in online mode without editing their code. 

It literally just takes to redirect requests coming to:
{color:#FF0000}www{color}.minecraft.net/game/joinserver.jsp
{color:#FF0000}www{color}.minecraft.net/game/checkserver.jsp
to:
{color:#FF0000}session{color}.minecraft.net/game/joinserver.jsp
{color:#FF0000}session{color}.minecraft.net/game/checkserver.jsp

I guess that's too hard to do for Mojang...

I know Mojang doesn't support older versions but obviously it shouldn't even take them several hours for fixing this because all they have to do is just updating authentication urls of each legacy version. I don't get why they keep ignoring this issue.

Would be cool if authentication for old version was a thing.

If it's really that easy, and can be done in 2 or so hours, why doesn't Mojang just get up and do it? It literally wouldn't take long. It's literally just redirection. I don't know anything about programming, but I'm damn sure that that's as basic as you can get.

Would love to see authentication fixed as there is still a community for these legacy versions and having to keep our server in offline mode is very frustrating. 

It takes like less than 5 minutes for Mojang to redirect to the new URL... But nope they are lazy

Please stop being lazy Mojang as there is a ton of servers that still use this legacy version.

57 comments on this issue, almost all in favor of fixing this. It's a shame Mojang now only cares about the 10 year olds playing the latest version of the game and not the rest of us who enjoy the older versions. As I've mentioned numerous times before, this issue only promotes piracy of the game. If users can't properly authenticate on older servers, server owners are left with no choice but to run "cracked" or offline-mode servers allowing anyone to join regardless if they own the game or not. I'd love to know why Mojang lets a good portion of players and servers break the EULA without caring at all.

For those of you who are looking for a potential work around for this, skins, and capes, I wrote some documentation on the old protocol and a solution involving a proxy - https://docs.doublecheck.gg/minecraft-beta/introduction/. It's not ideal, but it will work until, if ever, Mojang cares enough to fix this.

As an owner of multiple servers running in Alpha and Classic, I've been hoping for a long time that this issue would get resolved and make security much better. After a certain point, you can't really do anything else to make a server secure, and it's infuriating how incredibly simple the fixes are. Mojang, please take 15 minutes out of your day to resolve this issue.

as a beta/alpha player, we need this to happen. 

Several working solutions have been created & posted here. What could possibly be holding this up? There isn't even a point in writing this comment. I might as well be talking to a brick wall.

Hey Mojang! You have an amazing game here and the community surrounding it is unlike anything I've ever seen! Playing with others enhances the experience so much and that is why so many people flock to servers to play with friends! Minecraft has grown a lot, and because of that, historical Minecraft content has been on the rise, thus, there has been a constantly growing interest in older versions of the game! Many people are firing up old alpha or beta Minecraft servers to re-live the good old days and get back together with old friends! Making these old servers safe, however, is not easy and many times server op's have to run cracked servers or just disable authentication altogether. Now, we aren't asking you to fix authentication so we can play Minecraft securely. We already did that our way. We are asking you to fix authentication so we can play early Minecraft versions securely without breaking your EULA. Now, I admit I don't understand the logistics of this change, but if there is talk about resolving this issue, please keep us in the loop! We are a persistent bunch and we aren't going anywhere!

I agree. If no changes are actually planned, why do we have to be left in the dark speculating if anything is actually planned contrary to the "Work planned" comment? I mean, you can say that, but then proceeding to say literally nothing else, no updates on priority, nothing makes us think that was simply a lie.

Why should we be left guessing? Is communication not a priority especially when this could potentially bring in new customers for your brand AND satisfy some existing ones? The suggested changes are mutually benificial on both sides, so if they aren't planned why is there basically no communication?

What about skins?

I'm an owner of several classic servers that I operate as part of the Betacraft server list.

There is a strong interest in legacy versions of the game, and the entire community longs for better official legacy support by Mojang. Even beyond auth servers for older versions, we would like to see more older versions return to the launcher. Both of these issues have been addressed by the community, but to have it be officially covered would absolutely mean the world to all of us.

Yes please fix the old authentication, i wanna play on cool and good beta servers with epic authentication

Please fix it yall, i feel like im picking up the work you abandoned when i have to deal with people evading bans and stealing people's accounts all the time on my fav server 😞(

fix

Please fix this! I never feel safe when I go on Beta servers, and I miss having skins.

Please fix this!

There seems to be a very high amount of interest in this getting fixed. I would implore Mojang read carefully for the amount of profit they are losing due to allowing this to occur.

Hypothetically, if only 25% (there are way more) of the users on a server that has 30,000 user files (hypothetically, this is the true number for just ONE server, there are many more!) are cracked (non-paid).

That means Mojang is losing $187,500 (an entire salary of a higher tier software engineer) because they will not spend ten minutes to redirect a simple URL! Two servers (assuming no player overlap)? $375,000 loss! And this is a generous 25%, not 50 or 75!

Personally, I would redirect URLs every DAY for that type of money! Mojang, bring this figure to the bean counters for justification in getting this important work done! Thank you

Very well put. This would be a mutually beneficial fix for Mojang and us.

the funny thing is how you guys boasted about security when switching to ms accounts while completely overlooking this issue when there's a tremendous number of people who play these older versions for nostalgia/fun.

I guess they want people to only play the newer  versions

My hunch has always been and with each passing version it becomes more and more obvious, they are trying to make java edition so undesirable or non profitable to get servers and players to switch to bedrock i.e micro(soft) transaction Minecraft, the first update where Microsoft got full control was 1.9 (1.8 was in the works and probably mostly done before Microsoft got ownership) which was the update that tried to split the PvP and normal Minecraft community in half and have made no effort to try to remedy that combat change (they could literally add a boolean in server.properties for new combat to be enabled but they don't). Not to mention any version past 1.12.2 really isn't viable for big networks (as the performance is so bad, it's essential to use paper and follow the server optimization guide just to make a simple private server playable on the latest version(s)). So wish I could say I'm surprised they aren't doing this or anything that actually benefits the java community but they've been going in this direction for a while sadly (if only Notch didn't feel like all his work would be overshadowed by Minecraft and that he'd be defined ad the Minecraft guy (I believe that was one of the reasons he left he said in one of his interview)).

WEB-4838

agreed

this is too easy to bypass my betalands and retromc ban on beta 1.7.3 without online mode =(

game herobrine plays on beta lands and retromc?

So how many years do we have to wait to get this simple thing fixed?
It has been nearly 2 years now without any information about when it will get fixed.

If even. I am starting to think these previous developer comments were lies.

This bug tracker is quite infamous for saying something will get worked on, then completely forgetting about the issue and ghosting the people who have been waiting months and months for a simple fix.

This has to be fixed.

Greetings Mojang! I'm not sure if anyone is reading these emails anymore or if there is any plan to state your intentions on this issue, but I just wanted to pop in again to leave a message. This community is a ever growing community and though we may be few compared to the millions of players on more modern patches of the game, I believe we deserve to at least hear if there is even a glimpse of hope when it comes to fixing this issue. Even just a "we're working on it" or a "we have no intention on fixing this" message would prove to us that our comments are being heard. We are very fortunate to be able to play old minecraft versions through your launcher, but it would greatly enhance the experience of players playing old versions if this issue was resolved. This means that security in old version's would be increased which is extremely lacking compared to new patches. As the saying goes, "if it ain't broke, don't fix it." Well, this is broke, so please fix it! 😉 Hope you have a magnificent day! I'll be back next month!

@wenlan Do you have an idea of the status on this project? You mentioned work planned about 2 years ago (23/Dec/19) and we have not heard anything for that period of time. 

Can someone from Mojang please redirect requests coming to:
www.minecraft.net/game/joinserver.jsp
www.minecraft.net/game/checkserver.jsp
to:
session.minecraft.net/game/joinserver.jsp
session.minecraft.net/game/checkserver.jsp

Please let the community here know you still care about the game. Thank you

Hello OG players, I've begun following up this with the team again, Wenlan does not work at Mojang any longer. This is, as we say in Swedish, "tillbaka på tapeten".

Its been over a month now since this has been reopened, what's the progress at, is this still being followed up to the team? 

Hi Luke, as it currently stands this work is planned to be done in Q1 2022.

I'm glad to see that there is hope we may finally get name verification back in OG versions! As a servee owner I was definitely excited to see that update. Good to know that we've got a definite timescale now.

I'm happy to hear there is a new timeline but why has it taken so long (a little over 2 years), like if you use nginx, it's ~5 lines, like heck, you could hire me to do it for free and I'd get it done in 5 minutes lmao

Thank you for following up with us Ined, we definitely appreciate the timeline and are excited to return servers to online mode when the changes are implemented. Have a wonderful day.

Thank you so much for the news, Ined! It's great to hear that this is being acknoledged and a timeline is being put in place. We all very much appreciate the communication between Mojang Studios and the community and we look forward to a brighter future for the old-school Minecraft community! I understand that this may not be a top priority issue and that the timelines may shift with time, but communication on any futher developments pertaining to this topic would be greatly appreciated by us all! Thank you so much for your time and efforts.

its nice to get online mode working without client modifications atleast
very hype

In light of the recent announcement about forcing paying customers to migrate their account against their will, I feel someone should ask; How does it affect this issue? I imagine it would be quite difficult to retro-fit old versions for Microsoft account support, so where does that leave communities like ours?

Unwise decision, Mojang. Very unwise. Seems to be a trend recently. We are getting sick of being treated like we don't matter, and I am seriously considering moving my community away from official account support if this attitude doesn't change. We don't require your consent to continue existing, so for your sake I hope this decision is reconsidered.

How does it affect this issue?

It does not.

Alright, and how did you come to that conclusion?

Alright, and how did you come to that conclusion?

Account login is still entirely based in the launcher. If you were to use any old version of the game, assuming that version still has working authentication endpoints, it will function just as it did with Mojang accounts. Functionally, the game sees no difference between Mojang and Microsoft accounts for every version up until about 1.16.5 when the social interactions screen was introduced. Thus, Microsoft login will work for older versions just like it did for Mojang and legacy Minecraft accounts in the past.

Exactly. People seem to misunderstand what the migration really is, and it's just changing what you use to authenticate yourself.

Legacy auth, Mojang auth, and Microsoft auth work in dramatically different ways, but rather than debating that point here and flooding inboxes in the process, I'm just going to wait for a Mojang employee to respond to my question. I highly doubt either of you have more info than I do considering the announcement was made only 2 days ago.

— Exactly. People seem to misunderstand what the migration really is, and it's just changing what you use to authenticate yourself.

Have you not considered that some people would like a choice? Some of us would actually prefer to keep our Mojang accounts. I know that might be a little bit hard to comprehend, but it's true. Some of us, believe it or not, would rather not have to create a Microsoft account or agree to their ToS just to continue playing a block game we bought a decade ago.

Hi Alex King, 

I am the creator of MineOnline, a third-party launcher which was created to solve this bug. I have been working within the legacy Minecraft community for over three years on mods, server software and web services, so I believe I'm qualified to answer your question.

With that said, Axel is right, the issue is unaffected by Microsoft authentication.

Online-mode authentication works in two parts:

1. A client sends Mojang the server they're connecting to, with a valid access token.

2. A server sends Mojang the name of the joining player to make sure they're allowed to join.

Whether you login with Microsoft or the legacy Mojang method, ultimately you will receive a Minecraft access token. So you can see, the migration process does not affect this issue at all.

I actually can't think of any potential issue this login change would cause. Nothing in game cares about how you get your access, it only cares that you got it.

Hope this helps.

> Legacy auth, Mojang auth, and Microsoft auth work in dramatically different ways, but rather than debating that point here and flooding inboxes in the process, I'm just going to wait for a Mojang employee to respond to my question. I highly doubt either of you have more info than I do considering the announcement was made only 2 days ago.

I can assure you, that it doesn't really matter if you use a legacy, Mojang or Microsoft account, their APIs are in fact very much tied. session.minecraft.net which is used for client-server authentication can be served access tokens obtained from Mojang, as well as from Microsoft. I can't say for sure about legacy accounts, but I bet it's the same for them, as they also use the Mojang's sessionserver to work. So unless that endpoint's behavior changes, it's all going to work. Perhaps Mojang accounts could no longer give you access tokens upon login since March 10th, but I don't think a discussion like this fits into the issue's topic.

Actually include the correct URLs for the server-side of authentication.

Yeah even though it won't affect logins, I think it's more of an ethical issue and I just don't like to support and use services of a huge anti-consumer company (Microsoft) no doubt this was Microsoft pushing their influence of owning Mojang to make this change, no other reason for it but to upset the consumers (The improved security argument is kind of weak, never heard of any issues with security due to Mojang/Minecraft and it's not hard to add the security features Microsoft offers like 2FA)

Hello. We're nearing the end of the projected Q1 2022 point. Any updates?

Seconded; given the recent retiring of other Minecraft domains I'm fearful this may have been scrapped.

Is this still going to happen? We have reached the projected deadline. Any updates?

And just like that, I have lost faith in Mojang's truthfulness about this. For a moment I believed it was actually going to be changed thanks to a community effort, but I believe now the deadline was just to silence the active discussion and keep old versions abandoned.

I would be more than happy to be proven wrong.

Yeah, unfortunately, at the end of the day, microsoft cares about profits, even though this is simple fix, they'd rather spend those 30 seconds on something that will make them more profit

Anymore I’m pretty sure they just like letting people down. I feel like even with modern versions they promise the public things and either don’t do it or delay it years. 

Server owners only run cracked Beta servers because they have no choice. If there was any official auth it would force their players to buy the game.

I would say it takes more effort to put up this ruse or even make these fake plans to show us than just... adding the redirect to the launcher. I'm sure even that  Mr. Unpaid Intern could do it.

This is exactly what I expected. I have no doubt the engineers at Mojang are fully capable of solving this problem with minimal effort, yet for some reason it still hasn't been deemed worthy of fixing. They have repeatedly let my players down, and I see no reason why my server should support Mojang/Microsoft moving forward.

I've checked in with our web team regarding this, it has been pushed back slightly and they have planned to look into it during this summer.

Based on your wording, do the web team not interact with the public at all? And do the web team have a board like Trello or do they have no Todo list and often forget things? As this sounds like a case of bad communication between departments if they keep pushing back a 301 HTTP Permanent Redirect off for years, for any normal web server software, it is a single line to setup a 301 permanent redirect and if you guys are using java servlets, it will very by framework, just wish we had a direct channel to the web team as I'd like to understand the struggle they are facing, perhaps, like in most companies, they are forced to work with awful legacy code that somehow doesn't enable them to easily do 301's or perhaps Mojang doesn't run or have control of minecraft.net website since microsoft took over so they are playing a round robin with you, web team and microsoft web team. If there are more details that you can divulge it would be much appreciated to help us understand the 3 year struggle.

Another "work planned", I see. I'll just go ahead and expect the same when summer rolls around.

At the very least I'm glad to hear that this hasn't been scrapped and might happen at some point.

I'll celebrate when it happens. IF it happens.

Them coming out and saying something and “pushing it back” would be reassuring if this wasn’t created towards the end of 2019. 2.5 years later and we are still waiting. Them saying something is “supposed” to make us happy but people really need to keep commenting on this, so that they can’t just forget about us again cause they clearly already did and have decided to push it back, to “calm us down” again. Yes I’m skeptical of their intentions and practice. 

If they don't fix it soon I might be inclined to start rapid-firing links about the Gates Foundation.

At the moment it really does just feel like they aren't really planning on doing it and are simply going to continue pushing it back each time a deadline passes. I welcome the idea that they're just busy and haven't gotten around to it, but it really seems like there should be some degree of this rising to the top of the queue for things to fix after being ignored for so long.

I totally agree with increasing the priority. We can't have it get buried below other issues again and then re-arranged for a later date.

While the end of summer is still a fair bit away, I'd like to quickly inquire if this is planned for later this summer, the end, or soon?

Unfortunately, according to Ined's Twitter, he has recently left Mojang. Let's just hope the web team doesn't forget this issue or anything because we sadly might've just lost our only form of communication with them. As good as some third party solutions are, I'd just like for this to be natively supported again with no workarounds necessary.

i want this to be fixed so we can all just watch the cracked players cry

Given the recent attempt at quietly adding a reporting system, I am starting to think Mojang is just pushing back the deadline on this simple fix to keep us quiet. Surely there's no way they'd want these ancient versions to be fixed when they want even more authentication on new versions...

Well, to be clear, this reporting system is definitely Microsoft and not Mojang's will as MOJANG have trusted the server owners and staff to regulate chat ourselves FOR YEARS. But yes, I agree, if the web team can add extra "authentication-like" things like reporting and punishments based on reports which is way more complex than a 301 redirect then they should be able to do one with ease and are being told not to or choosing not to.

@Jordan Adams There is no evidence that Microsoft is calling the shots when it comes to this. Let's not spread misinformation and get back on topic here.

Mojang, please tell me this was not forgotten. August 1st is here and only in a month and a half will we be seeing the end of Summer. Any communication since our last update would be much appreciated. If further attention needs to be brought to this, the beta Minecraft community will provide it to let you know it's still important to us all these years still.

If you are going to offer the earlier versions of the game, the least you can do is protect legal copy purchasers by allowing an online mode through fixed authentication methods. Thank you.

Well, autumn is just a week away and considering recent events, I doubt Mojang will do anything about this issue. And honestly, I'm not sure if it's a good idea anymore in my opinion.

The best thing they could do now, is to just close the issue and mark it as "will not fix" and not keep community concerned for months if the issue will get fixed or not.

Other issues have had a higher priority, which is why this issue has not yet been resolved. The plan is to have this fixed at latest by 31 December 2022.

Perhaps we'll be lucky enough to get resolved before we hit 3 years of this issue being open. A time-span of 2 months is at least reasonably specific I guess.

@x DeathCon it's already been 3 years. This issue was opened on Sep 10th.

Hi Mojang,
Unfortunately this bug should not be fixed as stated in the description. Old versions of Minecraft using the old URL use HTTP rather than HTTPS, they also pass the player's access token via the URL. By reimplementing this endpoint, you would be handling access tokens in HTTP.

A secure alternative would be to leverage your "LegacyLauncher" library to hook the web request in Java before it is sent, and redirect it at that point. I already have an open PR into LegacyLauncher to fix a similar issue with this solution, I encourage you to take a look.

I would even be happy to write the code for this myself 🙂

MC-255477
https://github.com/Mojang/LegacyLauncher/pull/33

I don't mean to be rude, Codie. But we've already tried everything to get them to fix this issue, including offering to fix it ourselves. It's been over 3 years, and I can all but guarantee it will be at least another 3 before something actually meaningful happens. As disappointing as it is, I think the community ought to focus on building out our cracked infrastructure as best we can to mitigate the problems caused by this issue. It's really the better alternative, because then at least we don't have to rely on unreliable developers. "If you want something done right, do it yourself" as the saying goes.

Codie, do we know what http implementation they use. If it supports redirects we wouldn't need to even have them modify the LegacyLauncher project and intercept requests if they make a 301 redirect on port 80

Alex King - We do not need a "cracked infrastructure", we the community can already provide our own online-mode solutions leveraging the release server system.

As for doing ourselves, I have, repeatedly.

Here is a launcher which fixes this bug for every version https://github.com/craftycodie/MineOnline
You may also use many other popular third party launchers which support online-mode such as Betacraft.
Here is a server plugin, compatible with hmod bukkit and vanilla, fixing this bug for every version https://github.com/craftycodie/OnlineModeFix
You may also use other existing modded servers which fix online-mode.

In my previous comment I linked a PR into Mojang's own LegacyLaunch project which would fix online-mode.
Here is documentation on how to reimplement classic authentication via release authentication 
https://docs.google.com/document/d/1EYi8pHoXFaxmcGTah09cKs3VAyx7n7OpJYmgBPok-jk/edit

The community have already moved, but solving this issue does not require "cracking" and piracy should certainly not be encouraged.

@unknown  - Unfortunately the http implementation doesn't matter. The server may return a redirect but it can only do so after the request has already been made, the access token is already in http at this point.

Deleting this page & doing it ourselves would make everything so much better, that's my only point. You don't have to reiterate info people already know, Codie. Edit: You aren't the first to make such offers about fixing the problem, and you won't be the last. Mojang doesn't care, and the sooner we move on from it the better. We have alternative solutions that I think are preferable in light of forced migration.

Yes, it is undesirable for HTTP to be utilized for the token in 2022, but it is just a token. If it were usernames/passwords, then that would be a big problem. Sniffing attacks present a security risk, especially for users utilizing public/shared connections. Being realistic though, I doubt a threat actor exists that is listening in on public WiFi in hopes of someone utilizing Legacy Minecraft so they can steal their token and change their skin and join some premium servers on that name.

The more significant risk is that Alpha & Beta versions of the game do not have any encryption regarding communication between the server and the client. That means the current cracked solution of utilizing /login and /register commands is probably a much larger risk to end users as those passwords could be intercepted and could be used on some of their other accounts, such as emails, bank accounts, etc.

I hope Codie's solution is adopted, as it is probably the easiest and safest; however, due to the issues with Legacy Launcher, it is unlikely to receive an update anytime soon. Thus, I believe any method, including tokens over HTTP is still a significant advancement in security for the Legacy community.

The idea of community-based cracked infrastructure might have to come to fruition; however, many servers desire to operate in online mode. One of our most significant administrative burdens is when people ban evade, alongside dealing with name squatting. Mojang supported authentication is one of the easiest ways to reduce administrative burdens, with Mojang ensuring everyone playing online owns the game. I know Legacy Minecraft has become a bit of a haven for cracked players; however, as a server owner, I much rather drop this portion of the player base that causes a disproportionate amount of issues on servers and create a safer environment for my players.

Solutions like Beta Evolutions allow for hybrid authentication with modified clients/launchers; however, servers see significant drops in player counts when they require third-party software. Further, on this point, a Mojang lead solution will be more secure as users don't need to download third-party clients/software, which could be a potential risk/attack vector.

I believe forced migration shouldn't factor into anyone's opinion on this. It is still better for this issue to be solved and give servers the choice of online mode. Worst case, servers can work on hybrid authentication solutions for specific users who don't want to migrate.

I agree with Rhys although.. given this original solution in this ticket is way simpler and hasn't been handled in... 3 years... I am unsure if either solution will ever come to light.

Hi Mojang,
As mentioned in my previous comment, I believe it is more appropriate to resolve this issue with an update to LegacyLauncher. So, I've opened a pull request there for your consideration. You can find more information in the PR description.

Pull Request

https://github.com/Mojang/LegacyLauncher/pull/33

And to everyone else, please don't bury this comment with 'never gonna happen' replies, you're not helping 🙂

I have looked over the pull request, the code looks good, I honestly do hope it gets merged (although it is worrying this was PR'd a year ago and that the repo looks abandoned (6 years ago was last commit))

Happy new year 2023! Unfortunately, it does not look like online mode was implemented or even looked into on the promised schedule. After having pushed back the date three times, it seems that Mojang does not understand the amount of players still on these versions as well as the impact this has on those well populated communities.

Can we please have this issue escalated in some way as it has been pushed back three times already? I personally refuse to accept a response that involves pushing back the date again as this seems to be a constant issue for three years now.

Yes, we understand that the team may have higher priorities. However, I think you can also understand on our side that a large amount of frustration that comes from having a request be ignored and not even given the time of day for three years.

Again I ask if the beta community needs to remind you that this is still important to us after all these years, because we will provide whatever is necessary to get the ball rolling and finally end this ridiculousness. We have already been programming, supporting, and using many different centralized authentication workarounds for years that would all be unnecessary if a fix was implemented for authentication and online mode.

Please, for the sake of the beta community, increase the transparency and work with us to get this out of your queue and resuscitate versions that you still include in the launcher. Thank you.

Merge https://github.com/Mojang/LegacyLauncher/pull/33 or make your own fix for legacy Minecraft, Mojang!

It been 3 weeks. Mojang can't even say anything about that issue 😞

Owners of b1.7.3 are actually just discriminated with this issue. They should be easily able to decide whether they want to allow only premium account users to their server just like in the newer versions (1.0.0+) without any difficulties. This actually makes less people want to make pre-1.0.0 servers, which inevitably drains out the whole pre-1.0.0 community of potential new servers and probable interest in those versions. Pretty cowardly move from the Mojang side.

Really disappointing to see that this, such a simple issue, hasn't been patched yet even after community has provided solutions for you in the form of pull requests.

Please fix authentication.

This is such a simple problem that won't take you 2-3 hours to fix. Please fix this, Mojang!!

:info: Unless you want cracked servers of old MC versions 

We're two months over the last promised date, it would be really nice to hear from someone how progress on this is being dealt with. Thanks!

We are 2 and half months over the last promised date now. Mojang still didn't even answered us 😞

This is the most watched and voted web bug, and we're now over four months past the date Mojang said they would look into it. If for some reason the solution to this problem was cancelled, I think informing everyone of that would be appropriate. If it's still going to happen, an update would be nice.

@[Mojang] Kottizen @Kottizen An update would be greatly appreciated. 🙂

Considering this is simultaneously the most watched and most voted up issue by far, would it be possible for any prominent content creators to cover this issue and draw Mojang's attention as well as the community at large to this? Many of us have watched this issue be pushed back multiple times, but the fact this hasn't received an update to even acknowledge a new date to look into it in around half a year is concerning for the prospects of this simple fix ever being implemented.

Hi Mojang,
I believe it is more appropriate to resolve this issue with an update to LegacyLauncher, as old versions of Minecraft use http, and server authentication can only be made secure (https) by patching the game. So, I've opened a pull request there for your consideration. You can find more information in the PR description.

Pull Request

https://github.com/Mojang/LegacyLauncher/pull/33

Closing as duplicate

@rebeccakullenius may we know what is the original bug report if its a duplicate?

This has just been closed as a duplicate after nearly 4 years and having another issue closed as a duplicate of this one. What does this duplicate and is the issue going to be resolved? We haven't previously been given any status updates on the state of this in close to a year as well. Could we be given some transparency on what's going on?

@rebeccakullenius There is literally a big banner saying the team will look into it in Q4 of 2022 but now, after not giving an update in over a year, it has been closed as being a duplicate but of what? The only similar bug report I found was marked as being a duplicate of this one...

Usually I would write:
"This is no discussion forum blabla hop over to Mojira's Subreddit blabla, mods will get angry bla."

However, considering this bugpost was resolved as a duplicate of another bugpost which in turn is set as duplicate of this one [MC-200782] I hope Mojang devs would be so kind to look into this again and give us an answer what is going on behind the scenes, as resolving a duplicated bugpost with the duplicate is quite confusing and evidently upsetting to the community.

The fact that the mods here didn't yet intervene is quite strange, considering many other cases I witnessed where they did.

Currently have to assume the actual reason is something Mojang mustn't discuss publicly, or that they haven't discussed this issue yet internally and/or with Microsoft, or don't know how to phrase matters (yet) publicly.

Community literally made a fix for this issue (MCL-19983 & WEB-1429 Fixed legacy skin loading & server authentication. by craftycodie · Pull Request #33 · Mojang/LegacyLauncher (github.com)), but it looks like no one checked this Pull Request that contains fix for this whole issue + another issue old minecraft have because of new endpoints

In case @unknown won't be reinstated as reporter and a reporter is needed, I hereby volunteer.

Hello, please note that we will remove off-topic comments from this bug report. This bug report is watched by 163 people, meaning that each comment will send an email to each one. Please only comment relevant information. Repeat offenders may be banned from the bug tracker in severe cases.

FWIW, the resolution of this bug report appears to have been a mistake (and has been reverted), there's no need to panic.

@unknown was removed as reporter because they added an official-looking notice without consent from bug tracker staff. If they want to add anything to the bug report they can still comment and we will add it to the bug report if appropriate.

So you people can take action on the report when it's not related to the actual reported issue, as when Rhys B put a notice, but can't do a simple fix that takes seconds for the past 4 years?

The bug tracker team doesn't have any power over Minecraft itself. We just manage the bug tracker, that's it. We're volunteers, not Mojang employees.

Can we at least have it escalated, and or an increase in priority? I doubt an issue such as this, which is the most watched and voted for, deserves to have normal priority.

We have asked Mojang to check if the resolution was correct, which led them to correct it. We don't have any information on the current state of the issue, but the team is aware of it.

Also note that the "Priority" field on the WEB project is pretty much meaningless and only used for sorting on the bug tracker website, not internal prioritization. "Normal" is the default priority and nobody ever bothered to change it because we don't really use the Priority field on the WEB project much (if at all).

Please direct all further comments about the handling of this bug report to our subreddit or our Discord server. Any comments that are not about the issue itself (legacy servers not being available) will be deleted.

Edit: A post about this issue has been created on our subreddit here.

Author of the duplicate bug report here. I want to re-iterate what I said on that one. As it currently stands, all pre-release 1.0 servers have to implement their own authentication, and there's a high probability most are insecure. Furthermore, every server is open to anyone regardless if they've purchased the same. This inadvertently promotes piracy. 

It's a simple fix for the web team, and the solution(s) are well documented. It's a shame so many people are advocating for this to be fixed, but it continues to slip through the cracks. But then again, Mojang does not care about us older players, they only care about the 8-14 year olds with their parent's credit cards. Money talks and time spent on this will not make them any. 

Requesting the wording of "@unknown was removed as reporter because they added an official-looking notice without consent from bug tracker staff. If they want to add anything to the bug report they can still comment and we will add it to the bug report if appropriate." in the pinned comment to be updated.

It heavily comes off that the current banner is not official, I am just now learning that there was a different banner (that was not official looking at all IMO) that was added, and then subsequently removed. The wording of this phrase makes it sound like the currently displayed notice is unofficial, when it in fact is official. I suggest this comment's wording be updated to clarify this is referring to a banner that was removed and is no longer exist, and is NOT about the current red banner that is visible on the issue.

> Old URL: http://www.minecraft.net/game/checkserver.jsp?user=
has wrong url. It shows proper url, but if you try to open this page - it sends you to login.minecraft.net instead of www.minecraft.net

U.P.D. Its in `Server Authentication`

Can confirm that this issue still exists 3 months into the year 2024. Was able to reproduce this issue.

Was able to reproduce the issue again on 4/18/2024, seems to have not been fixed!

Issue i reported almost a year ago is still not resolved. Would be nice to have it changed by some mods so it would be easier for everyone since right now it shows proper URL but on click sends you to wrong URL 

Is "October-December 2022" in the room with us right now? Is there any update on this or the Pull Request #33 (https://github.com/Mojang/LegacyLauncher/pull/33) made to the legacy launcher? Still broken for me as of 6/14/2024, can anyone else confirm this is still broken?

Maybe something labeled "AI" needs to be added so that suits will foam at the mouth for fixing this. Right now anything said here or anywhere else is a fart in the wind even though the solution was handed on a silver platter to Mojang years ago.

On the bright side, we can celebrate the 5 year anniversary of this issue in September. Maybe a big cake and a bike with training wheels for the birthday!

Based on past experiences, I am not optimistic about any significant changes being implemented. The deadlines have repeatedly been postponed without any substantial updates, to the extent that even the labels remain unchanged. The entire situation has become so farcical that it's beyond insulting. I would prefer a straightforward response, such as "No, we won't fix this.", rather than vague commitments like "We will look into it." or "Planned."

Additionally, I would like an explanation regarding the subreddit to which this issue was "moved", as we are not receiving any updates there either.

It is quite ironic that almost all Web Service issues have been promptly addressed, while this top-voted and highly-watched issue is left gathering dust in the corner.