Authentication is described in the protocol wiki:
http://wiki.vg/Authentication#Server_operation
As for MCServer, it does exactly as written there. It receives the 0x02 handshake packet (cSocketThreads does the actual receiving, it sends data through cClientHandle into cProtocolRecognizer, that one recognizes the protocol and sends the packet into cProtocol142, which decodes the packet's meaning and calls cClientHandle's HandleHandshake and then HandleLogin (for historical reasons; earlier protocols had separate Login packets which triggerred the auth mechanism)). The HandleLogin function queues an auth-checking request with cAuthenticator.
The cAuthenticator is probably the object that you want to see the most. It runs a separate thread that processes each auth-checking request asynchronously. For each incoming request, it calls AuthFromAddress(), which connects to the auth server, sends the request and receives the answer using HTTP. If it receives a redirect request, it reconnects to the new URL and re-tries.
If successful, it sends an "auth ok" signal to the cClientHandle, through cRoot's AuthenticateUser. If not successfull, it kicks the user.
Is that good enough an explanation?