FlexibleLogin [v0.17] for Sponge 7+ - Auth plugin - 2FA


Security Notice: If you use a version 0.16.X version, update immediately to 0.16.5+ or disable the change password command. 0.16.X fixed this security bug. Older versions of 0.16.X are not affected.


A Sponge minecraft server plugin for second authentication. It has a built-in
TOTP support.

Do you want to let your players protect their account (from hackers/login stealers) and keep playing while the session server is down. You can use this little plugin. You can protect your account with a password you choose or with a time based password created from a secret key, generated just for you.








Github - Source Code
Please leave star on Github. Feel free to clone, fork or contribute to this repository.
This is a complete new project, so many features can be added.


TOTP Key generation (/register)

Minecraft image picture

Android App Google Authenticator (IOS App exists too)

Minecraft image picture
You can see there a time generated code which can be used for the login process. (/login )
Additionally it display your user account name and the server ip.



Is this for cracked servers? ughhh


as stated in his post: this is to be able to play while mojang Servers are down.

Anyways: i like the idea of a somewhat double authenticate. Even if you share an minecraft account your achievements cant get bricked.


This is a really nice plugin. Gj
But some type of password recovery is needed. Like:

  • /unregister - deletes the given players account/password if it exists(only admin command)
  • /forgotpassword - sends an email to the player containing his password. This sollution needs an other command setting players email

Both commands are implemented now.



1 Like

It would be great if instead of using a mysql DB, there was an option for using an identify service, like OpenID connect. Then users could login with their google account (or whatever openid they have)


You want to type your google account password into a minecraft server? ._.

1 Like

Yes. Just like I type it into my phone, and countless other apps that use google authentication. Users will be encouraged to set up an app password for this server. I imagine that there are other use cases, but mine would be for a private Minecraft EDU server using Google Classroom. The desire is to use the same authentication system for the server that we use for the google apps stuff, and other online tools/systems that also use OpenID Connect.

I’m sure there are other ways to accomplish the same end (SSO for web, email, minecraft, forums, MOOC, etc).

This sounds so great. I’m looking forward to give my credentials to every server owner using your plugin.

Very helpful response. Thanks so much for taking the time.

My thought is that 2-step auth with Google allows you to create a password per application (so one per server). The intent here is not to allow users to use their google login to authenticate, but to allow the server admin to verify their identify.

I get what you’re snarkily alluding to, and recognize that it is less than ideal. Maybe you can offer a better idea or approach?

Moderator: As my initial question is being trolled, should I open a new topic elsewhere? I don’t want to distract from the release of this nice plugin, or muddy this thread any further.

If this is a concern for you: Just create another google account which you use to auth yourself.

1 Like

Your phone is controlled by you, and the password doesn’t get past the Google-controlled authentication mechanisms. This idea results in passing your password to a third party.

[quote=“Frost_Fox_, post:10, topic:8872”]
Moderator: As my initial question is being trolled, should I open a new topic elsewhere? I don’t want to distract from the release of this nice plugin, or muddy this thread any further.
[/quote]I don’t see any trolling. No need for a new topic, either.

1 Like

If any server forces me to create another google account just to pass their authsystem i will simply go away. Its like an article i read awhile ago. If you have a webshop, which requires user registration to buy your stock around 40% of all users will search for aleternatives…

That’s not what i said. That was just a suggestion for you to bypass the problem of having to use your main google account for auth on a MC server.

i’d never use a google-only auth either.
But the option to do so is nice (i’d recommend having classic name+pw auth too).

The problem isn’t the idea with Google Authentication - it’s pretty cool sounding on the surface, actually. The problem is that this isn’t a website, or an easy-to-manipulate application.

When you use Google Authentication on websites, you’re actually taken to the Google site to approve the applications access to your account. In Minecraft, however, you’d need to type your password in chat. That requires a lot of trust in the plugin and the plugin developer to not accidentally or maliciously release your password.

Not to mention the server owner, who could easily copy the source from such a plugin and simply have the password sent to their email, or saved in the logs, with the user none the wiser.

I suppose that the server has to be in offline mode for this to work? Idk if sponge supports changing authentication status.

The UUID will be different if you change the online mode. In offline mode the server will create a fake UUID (UUID.nameUUIDFromBytes((“OfflinePlayer:” + playerName).getBytes(Charsets.UTF_8))). So for example you will loose your inventory or permission group.

This plugin holds then the original (premium) UUID if the user registered before. On every premium/online mode login the plugin updates the username, so if the server goes into offline mode we can look up the account by the username instead of the UUID. Through the authentication process of this plugin, another plugin can be sure it’s actual the same user and do the same.

####Google Authentication
I think, you shouldn’t type your actual Google password into a minecraft server. One possibility would be to send the user a link (e.g. this) to open it in a browser and send the response with a token instead of the password to the server. But then the user have to open the browser on every login process. Although you don’t have to type in your account credentials every time if you are already logged in into Google (and have already registered), it’s in my opinion a bad idea.

1 Like

Yeah I know that, but I don’t understand how you can prevent the server from kicking the player if the authentication fails. Unless sponge provides some kinda “PlayerAuthenticationEvent”.

There is a GameClientAuthEvent, however that is fired after authentication has been successful.
Note that it is also fired when the server is offline and authentication therefore automatically ‘succeeds’.



can it be setup and used without use of any DB servers? I’m now testing it on my local compare and I doesn’t have any DB system.
How can I set it to use it without the DB system?
Have you somewhere any Wiki or help for configuring the system?