PHP library for Mojang's Yggdrasil authentication system.

Yggdrasil.php

<?php

class Yggdrasil {
    private $server = 'https://authserver.mojang.com';

    private $client_token = null;

    private $username = null;
    private $access_token = null;

    // Construct a new instance for the given username, with optional client token and access token.
    // Client token can be null, but this will invalidate all other sessions for this user once
    // successfully authenticated.
    public function Yggdrasil($username, $client_token = null, $access_token = null) {
        $this->username = $username;
        $this->client_token = $client_token;
        $this->access_token = $access_token;
    }

    // Get/set the client token.
    public function client_token($client_token = null) {
        if ($client_token != null)
            $this->client_token = $client_token;

        return $this->client_token;
    }

    // Get/set the access token.
    public function access_token($access_token = null) {
        if ($access_token != null)
            $this->access_token = $access_token;

        return $this->access_token;
    }

    // Used internally to dispatch requests.
    private function dispatch($uri, $data) {
        return json_decode(
            @file_get_contents(
                $this->server . $uri,
                false,
                stream_context_create(array(
                    'http' => array(
                        'method' => 'POST',
                        'header' => 'Content-Type: application/json' . PHP_EOL,
                        'content' => json_encode($data)
                    )
                ))
            ),
            true
        );
    }

    // Get an access token.
    // http://wiki.vg/Authentication#Authenticate
    public function authenticate($password) {
        $result = $this->dispatch('/authenticate', array(
            'clientToken' => $this->client_token,

            'agent' => array(
                'name' => 'Minecraft',
                'version' => 1
            ),

            'username' => $this->username,
            'password' => $password
        ));

        $this->client_token = $result['clientToken'];
        $this->access_token = $result['accessToken'];

        return $result;
    }

    // Refresh an access token. Can also be used to validate an access token.
    // http://wiki.vg/Authentication#Refresh
    public function refresh() {
        $result = $this->dispatch('/refresh', array(
            'clientToken' => $this->client_token,

            'accessToken' => $this->access_token
        ));

        $this->access_token = $result['accessToken'];

        return $result;
    }

    // Check if an access token is the newest one associated with this account.
    // http://wiki.vg/Authentication#Validate
    public function validate() {
        return $this->dispatch('/validate', array(
            'accessToken' => $this->access_token
        ));
    }

    // Invalidate all access tokens associated with this account.
    // http://wiki.vg/Authentication#Signout
    public function signout($password) {
        return $this->dispatch('/signout', array(
            'username' => $this->username,
            'password' => $password
        ));
    }

    // Invalidate our access token.
    // http://wiki.vg/Authentication#Invalidate
    public function invalidate() {
        return $this->dispatch('/invalidate', array(
            'clientToken' => $this->client_token,

            'accessToken' => $this->access_token
        ));
    }

    // Which variables to keep when serialized.
    public function __sleep() {
        return array(
            'client_token',
            'username',
            'access_token'
        );
    }

    // What to do when unserialized.
    public function __wakeup() {
        
    }
}

at the end, has to added a "?>"

There is a typo on line 112 for $this->accessToken. It should be $this->access_token.

Also, the validate() function will always return false as the response you get from the Mojang API is an empty string on success. And when an invalid client token is given, you will receive a 403 error. Again, without any data.

Someone know if this still works?

@Warthelm Keen eye ;) I've not been using those functions myself, so never noticed. This Gist was created before the code was tested. The typo in invalidate() has been fixed, and I suggest you use refresh() to validate tokens.