Ok so I’ve finally gotten past the certificate pinning. I’ll trace the logon stuff tomorrow, I’m getting there 👍

from audiapi.

I've created a postman collection that has the full authentication flow working. You can find it here

One thing I noticed is that at step 7 it sometimes already returns the callback URI for the app as myaudi:///, in that case continue with step 9 instead of 8.

I noticed that the authentication flow is pretty similar to the one on the myAudi website (should have known while looking at the IDKWebViewClient class in the decompiled sources but oh well...), the only difference is in the client id's and the callback URI.

Interestingly this matches the VW app really closely so that should make some other folks happy I think.

from audiapi.

The android app also uses certificate pinning, you need to unpack the app, replace the certificate, pack the app and install it again.
Or simple decompile it. I'll take a look at it later to see if I find something

from audiapi.

I’ve been banging my head against this with recompiling the APK after attempting to stub out the pinning in the okhttp client but so far no luck.

I did find the encrypted client Id and whatnot so I’ll be attempting to see if I can decrypt those

from audiapi.

Nope that's from the decompiled sources.

from audiapi.

Note: in step 2 the order or the query parameters seems to matter, so no way of doing this nicely :(.

from audiapi.

Note: in step 2 the order or the query parameters seems to matter, so no way of doing this nicely :(.

@sandermvanvliet what I meant is that I can't use url.Values.Encode() in go as it generates the string in alphabetical order. Hope my comment didn't imply any criticism, I'm very thankful for your excellent work!

from audiapi.

To get the cars you'll need to use this URL https://msg.volkswagen.de/fs-car/usermanagement/users/v1/Audi/DE/vehicles with the Volkwagen access token. That'll give you the VINs connected to your account.

Charger data is at: https://msg.volkswagen.de/fs-car/bs/batterycharge/v1/{{brand}}/{{country}}/vehicles/{{vin}}/charger
Location data is at: https://msg.volkswagen.de/fs-car/bs/cf/v1/{{brand}}/{{country}}/vehicles/{{vin}}/position

brand is Audi and country can be DE or BE from what I can see, possibly other values too but haven't tried those yet.

Note that they all use the Volkswagen access token, the URL kind of gives that away :-P

from audiapi.

Hi guys

Thanks a lot for all the reverse engineering infos in this thread and the update of the login procedure in the testing branch, I've been able to get the audi_connect_ha home asisstant integration running again based on these infos.

All other calls seem to be working again, including actions such as locking/unlocking. Perhaps some things in this integration may be useful for this library as well.

from audiapi.

Yep, same problem here:

[audi  ] TRACE 2020/10/22 12:23:56 POST https://identity.vwgroup.io/signin-service/v1/09b6cbec-cd19-4589-82fd-363dfa8c24da@apps_vw-dilab_com/login/authenticate
302 Found
[audi  ] TRACE 2020/10/22 12:23:56 GET https://identity.vwgroup.io/oidc/v1/oauth/sso?clientId=09b6cbec-cd19-4589-82fd-363dfa8c24da@apps_vw-dilab_com&relayState=f8fe1d77b3ef8acc19ff431656c7f2d429592878&userId=418782c1-edc9-44ed-889d-920782c00764&HMAC=038cd917f79a1e167dbe9903602cf10c54becac953bde1881c5f3ed737827cfe
302 Found
[audi  ] TRACE 2020/10/22 12:23:56 GET https://identity.vwgroup.io/signin-service/v1/consent/users/418782c1-edc9-44ed-889d-920782c00764/09b6cbec-cd19-4589-82fd-363dfa8c24da@apps_vw-dilab_com?scopes=address%20profile%20badge%20birthdate%20birthplace%20nationalIdentifier%20nationality%20profession%20email%20vin%20phone%20nickname%20name%20picture%20mbb%20gallery%20openid&relayState=f8fe1d77b3ef8acc19ff431656c7f2d429592878&callback=https://identity.vwgroup.io/oidc/v1/oauth/client/callback&hmac=670542495cb2476b3d35b0a92a0838e8211dd92955d45a7e5c58c3aac6edf9c1
302 Found
[audi  ] TRACE 2020/10/22 12:23:56 GET https://identity.vwgroup.io/oidc/v1/oauth/client/callback/success?user_id=418782c1-edc9-44ed-889d-920782c00764&client_id=09b6cbec-cd19-4589-82fd-363dfa8c24da@apps_vw-dilab_com&scopes=address%20profile%20badge%20birthdate%20birthplace%20nationalIdentifier%20nationality%20profession%20email%20vin%20phone%20nickname%20name%20picture%20mbb%20gallery%20openid&consentedScopes=address%20profile%20badge%20birthdate%20birthplace%20nationalIdentifier%20nationality%20profession%20email%20vin%20phone%20nickname%20name%20picture%20mbb%20gallery%20openid&relayState=f8fe1d77b3ef8acc19ff431656c7f2d429592878&hmac=af37786a5f984b098277388679b1219b4f3ba0cd06a4d98890d91a94dac0608e
302 Found
[audi  ] TRACE 2020/10/22 12:23:56 POST https://app-api.my.audi.com/myaudiappidk/v1/token
403 Forbidden
{"error":"forbidden_client","error_description":"Access forbidden"}

The Audi app still works, so changes must be in backend.

/ping @sandermvanvliet can you confirm?

from audiapi.

@andig will investigate today, haven't looked at it for a bit but will try to see what's going on

from audiapi.

@sandermvanvliet I sent you an e-mail, let's chat

from audiapi.

For a few days now, the messagae has changed when getting the token from https://msg.audi.de/fs-car/core/auth/v1/Audi/DE/token:

{
    "error":"invalid_grant",
    "error_description":
    "Bitte überprüfen Sie Ihre eingegebenen Daten."
}

from audiapi.

from audiapi.

If anyone could use something like mitmproxy on Android that would help. The iOS Audi app uses certificate pinning which didn't allow me to debug any further.

from audiapi.

The android app also uses certificate pinning, you need to unpack the app, replace the certificate, pack the app and install it again.
Or simple decompile it. I'll take a look at it later to see if I find something

Found this on a forum:

{
"issuer": "https://identity.vwgroup.io",
"authorization_endpoint": "https://identity.vwgroup.io/oidc/v1/authorize",
"token_endpoint": "https://app-api.my.audi.com/myaudiappidk/v1/token",
"revocation_endpoint": "https://app-api.my.audi.com/myaudiappidk/v1/revoke",
"end_session_endpoint": "https://identity.vwgroup.io/oidc/v1/logout",
"jwks_uri": "https://identity.vwgroup.io/oidc/v1/keys",
"userinfo_endpoint": "https://identity-userinfo.vwgroup.io/oidc/userinfo",
"response_types_supported": ["code", "token", "id_token", "code token", "code id_token", "token id_token", "code token id_token"],
"subject_types_supported": ["public"],
"id_token_signing_alg_values_supported": ["RS256"],
"code_challenge_methods_supported": ["S256"],
"scopes_supported": ["aboutMe", "address", "affinity", "badge", "battery", "birthdate", "birthplace", "carConfigurations", "carMeasurements", "cars", "charging", "climatisation", "dealers", "doors_windows", "driversLicense", "ecus", "email", "errors", "fuelLevels", "gallery", "intExtTemperature", "lock_unlock", "manageCharging", "manageClimatisation", "manageDestinations", "mbb", "mileage", "name", "nationalIdentifier", "nationality", "navigation", "nickname", "openid", "parking_position", "phone", "picture", "preferred_language", "profession", "profile", "range", "vehicleLights", "vehicleOnlineCapabilities", "vin", "warning_lights", "we_connect_vehicles", "wl_raw"],
"claims_supported": ["iss", "sub", "aud", "iat", "exp", "nonce", "name", "email", "email_verified", "phone_number", "phone_number_verified", "updated_at"],
"grant_types_supported": ["access_token", "refresh_token", "authorization_code", "client_credentials"],
"ui_locales_supported": ["bg", "bs", "cs", "cs-CZ", "da", "da-DK", "da-GL", "de", "de-AT", "de-BG", "de-CH", "de-DE", "de-LI", "de-LU", "de-PL", "el", "el-CY", "el-GR", "en", "en-AE", "en-AL", "en-AM", "en-AU", "en-AZ", "en-BA", "en-BG", "en-BH", "en-BN", "en-BW", "en-CA", "en-CL", "en-CN", "en-CY", "en-DK", "en-FI", "en-GB", "en-GE", "en-GI", "en-GL", "en-GR", "en-HU", "en-ID", "en-IE", "en-IL", "en-IN", "en-IS", "en-JO", "en-KW", "en-KZ", "en-LS", "en-LT", "en-LV", "en-MD", "en-ME", "en-MK", "en-MT", "en-MY", "en-MZ", "en-NA", "en-NO", "en-NZ", "en-OM", "en-PH", "en-QA", "en-RO", "en-RS", "en-SA", "en-SE", "en-SG", "en-SG", "en-SK", "en-TH", "en-TW", "en-UA", "en-US", "en-UZ", "en-ZA", "es", "es-AD", "es-AR", "es-CL", "es-ES", "es-IC", "es-MX", "es-MX", "et", "et-EE", "fi", "fi-FI", "fr", "fr-AD", "fr-BE", "fr-CA", "fr-CH", "fr-FR", "fr-LU", "fr-MC", "hr", "hr-HR", "hu", "hu-HU", "is", "it", "it-CH", "it-IT", "it-SM", "it-VA", "ja", "ja-JP", "ko-KR", "lt", "lt-LT", "lv", "lv-LV", "mk", "nl", "nl-BE", "nl-NL", "no", "no-NO", "pl", "pl-PL", "pt", "pt-BR", "pt-BR", "pt-PT", "ro", "ru", "ru-BY", "ru-BY", "ru-RU", "ru-UA", "sk", "sk-SK", "sl", "sl-SI", "sq", "sr", "sv", "sv-SE", "tr", "tr-TR", "uk", "zh", "zh-CN", "zh-TW"],
"acr_values_supported": ["https://identity.vwgroup.io/assurance/loa-2", "https://identity.vwgroup.io/assurance/loa-3"],
"token_endpoint_auth_methods_supported": ["client_secret_post", "client_secret_basic"]
}

from audiapi.

@Mr-Staffman is there a link to the discussion, too? This looks like a jwt token?

from audiapi.

@Mr-Staffman is there a link to the discussion, too? This looks like a jwt token?

I think it is taken from https://community.home-assistant.io/t/audi-mmi-support/46543/250

from audiapi.

Ping @davidgiga1993 any news? I'd be happy to update the flow but would need input from the app side. Thanks!

from audiapi.

Is this helping? I've seen and read about quite some smiliarities between VW and Audi. With regards to the server change, it seems even more similar at the time. This page is documenting the VW API: https://productdata.vwgroup.com/quick-start.html

from audiapi.

We‘re lacking client credentials, id and secret. We also don‘t know any of the api endpoints. These are all pieces of the puzzle but not a solution :(

from audiapi.

I tried to recompile the app with the CA from mitmproxy (as I did the last time) but apparently there are some other checks I can't seem to find at the moment. Also recompiling is a giant pain since they switched to kotlin,

from audiapi.

Here is some detail from the Audi website login. I couldn't find out yet where the JWT token comes from:

Entering email:

Summary
URL: https://identity.vwgroup.io/signin-service/v1/c7c15e7f-135c-4bd3-9875-63838616509f@apps_vw-dilab_com/login/identifier
URL: https://identity.vwgroup.io/signin-service/v1/c7c15e7f-135c-4bd3-9875-63838616509f@apps_vw-dilab_com/login/authenticate?relayState=a80d15d83806832e7156ae0148a32e00ba12a0cc&email=cpuidle%40gmx.de
Status: 200 OK
Source: Network
Address: 127.0.0.1:9000

Request
GET /signin-service/v1/c7c15e7f-135c-4bd3-9875-63838616509f@apps_vw-dilab_com/login/identifier
Referer: https://identity.vwgroup.io/signin-service/v1/signin/c7c15e7f-135c-4bd3-9875-63838616509f@apps_vw-dilab_com?relayState=a80d15d83806832e7156ae0148a32e00ba12a0cc
Origin: https://identity.vwgroup.io
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Safari/605.1.15

Redirect Response
303 See Other
Pragma: no-cache
Expires: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Location: /signin-service/v1/c7c15e7f-135c-4bd3-9875-63838616509f@apps_vw-dilab_com/login/authenticate?relayState=a80d15d83806832e7156ae0148a32e00ba12a0cc&email=cpuidle%40gmx.de
Date: Wed, 02 Sep 2020 06:55:50 GMT

Request
POST /signin-service/v1/c7c15e7f-135c-4bd3-9875-63838616509f@apps_vw-dilab_com/login/authenticate HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Origin: https://identity.vwgroup.io
Cookie: SESSION=ZmNlM2Y0NjctMGEyZS00MzQxLWEwZWMtYTkyNzUyZTVkNDI4; vcap_journey=54dd3294-02ae-46e2-a010-7ddfbc5546cf
Accept-Encoding: gzip, deflate, br
Host: identity.vwgroup.io
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Safari/605.1.15
Accept-Language: en-us
Referer: https://identity.vwgroup.io/signin-service/v1/signin/c7c15e7f-135c-4bd3-9875-63838616509f@apps_vw-dilab_com?relayState=a80d15d83806832e7156ae0148a32e00ba12a0cc
Connection: keep-alive

Response
HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Pragma: no-cache
X-XSS-Protection: 1; mode=block
Content-Language: de-DE
Expires: 0
Transfer-Encoding: Identity
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Date: Wed, 02 Sep 2020 06:55:50 GMT
Connection: keep-alive
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Vcap-Request-Id: 74bd32a9-0610-43f0-7d9f-9fcbf3db4f39
Strict-Transport-Security: max-age=31536000 ; includeSubDomains

Query String Parameters
relayState: a80d15d83806832e7156ae0148a32e00ba12a0cc
email: XXX

Request Data
MIME Type
Request Data: 

Entering password:

Summary
URL: https://userinfo.my.audi.com/login/redirect?state=PlbQXPCWHcDi7ruQatoVRCVnG3c&code=eyJraWQiOiJkMzg2NWIxNzMwZDliMmQzIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiI0MTg3ODJjMS1lZGM5LTQ0ZWQtODg5ZC05MjA3ODJjMDA3NjQiLCJhdWQiOiJjN2MxNWU3Zi0xMzVjLTRiZDMtOTg3NS02MzgzODYxNjUwOWZAYXBwc192dy1kaWxhYl9jb20iLCJhY3IiOiJodHRwczpcL1wvaWRlbnRpdHkudndncm91cC5pb1wvYXNzdXJhbmNlXC9sb2EtMiIsInNjcCI6Im9wZW5pZCBwcm9maWxlIGFkZHJlc3MgYmlydGhkYXRlIGJpcnRocGxhY2UgcGhvbmUgYmFkZ2UgdmluIG5hdGlvbmFsSWRlbnRpZmllciBuYXRpb25hbGl0eSBwcm9mZXNzaW9uIiwiYWF0IjoiaWRlbnRpdHlraXQiLCJpc3MiOiJodHRwczpcL1wvaWRlbnRpdHkudndncm91cC5pbyIsImp0dCI6ImF1dGhvcml6YXRpb25fY29kZSIsImV4cCI6MTU5OTAyOTcyNiwiaWF0IjoxNTk5MDI5NDI2LCJub25jZSI6IktvYklEN1VLZWd2eTlQbDc5VzItY0JCSERXaGFleHFrb2sweGNycTU0UEEiLCJqdGkiOiIxZjIzYzc5MC02MDJiLTQwMDMtODU4Mi05ZDc4MDg3YzY1MzUifQ.dwxfbBb7nIc8B47Fn3-B_TwtWqLXp3V1daUwGHTDAAlD3Fk3QGDPLyZ824N1ZXsBfEXiyibkot6YYE29YvToRtwbOrvYY8n9_8_mvumDm986m-oScLOH43mB1VdCLZ62ZrQmOOpHAHORerESFCehIVnL3yMLFfe78Ts2afmMIAmqe11uHu0o9t6KpcgH2hUWhRHCX-P7IJJNoTTRDpo0eceai2yVhcxCDoCNaXlnVzf3kbD-bZmPjj8fcgg1A8jJkzIDqW1SXu0VXnqRRMK8LgfbFvew9P9VQ7DTBb_pMsY3XJFuuGwex96Iiy2udtzSVDWh-5FxZ6dUqS9Iyvgb_ykLM1hipRlFgXKk9rCQo5HJWGExfy6abeGvAKodHPSyqZd8bJN6Cw6i0jv3-l-9NL9tXKOllebdE8xbLOwZlF1cs9DWRvnX7zX7trT9umjrZ8H6oD0iNmkazD5tAwhdbtk2J9bpRwHc5cKENbz9rOl0j39VovYbrFjQuuwe88Wwvt7z3O5jPKpXQ_QlhJdjKrCQ3TNaSF-wQs058FUpnLJiU4e4LKpHLWJUuobXeZBiI_TamKcJ8A5ppon_V8HFyg1lV_vCK-yxDWlNJytBXifLgQH22kADKI6V0zjaixuZFgSeuJNpkv7cWhGUxcZ3mYPRuD41Sj1DlbORPcRT7sQ
URL: https://userinfo.my.audi.com/login/idk?ui_locales=de-DE
URL: https://my.audi.com/
Status: 200 OK
Source: Network
Address: 127.0.0.1:9000

Request
GET /login/redirect
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us
Referer: https://identity.vwgroup.io/
Accept-Encoding: gzip, deflate, br
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Safari/605.1.15

Redirect Response
302 Moved Temporarily
Location: https://userinfo.my.audi.com:443/login/idk?ui_locales=de-DE
Date: Wed, 02 Sep 2020 06:50:27 GMT
Vary: x-forwarded-host, Accept-Encoding

Request
GET /login/idk
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Safari/605.1.15
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us
Referer: https://identity.vwgroup.io/
Accept-Encoding: gzip, deflate, br

Redirect Response
302 Moved Temporarily
Location: https://my.audi.com/
Date: Wed, 02 Sep 2020 06:50:27 GMT
Vary: x-forwarded-host, Accept-Encoding

Request
GET / HTTP/1.1
Cookie: mod_auth_openidc_session_live=037d50e1-caeb-4a2b-be72-feb903662a52; _ens_perf=W10=; _ens_prev=eyJlVmFyNSI6ImxhbmRpbmdwYWdlfG5vIGxldmVsfG5vIGxldmVsfG5vIGxldmVsIiwiZVZhcjM3IjoibGFuZGluZ3BhZ2UiLCJlVmFyODkiOiJsYW5kaW5ncGFnZSIsInBhZ2VVUkwiOiJodHRwczovL215LmF1ZGkuY29tLyJ9; _ens_sid=azgyNnRrV1k3TER4; _ens_vn=eyJjYSI6Im15QXVkaSAyLjAiLCJjcyI6Im15QXVkaSAyLjAiLCJpZCI6ImszbmN0bUlHMWZ4biIsInBhIjoibm9uZSIsInBzIjoibm9uZSIsImx1IjoxNTk5MDI5NDE0NDE3LCJvbGQiOnRydWUsImFwcHMiOnsibXlBdWRpIDIuMCI6eyJlcCI6ImxhbmRpbmdwYWdlIiwidm4iOjMsImx2IjoyMSwiaWQiOiJrODI2dGtXWTdMRHgiLCJsdSI6MTU5OTAyOTQxMTA3OH19LCJzaXRlcyI6eyJteUF1ZGkgMi4wIjp7ImVwIjoibGFuZGluZ3BhZ2UiLCJ2biI6MywibHYiOjIxLCJpZCI6Ims4MjZ0a1dZN0xEeCIsImx1IjoxNTk5MDI5NDExMDc4fX19; AMCV_097B467352782F130A490D45%40AdobeOrg=1585540135%7CMCIDTS%7C18508%7CMCMID%7C49925485180746582551935600341652537949%7CMCAAMLH-1599634210%7C6%7CMCAAMB-1599634210%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y%7CMCOPTOUT-1599036610s%7CNONE%7CMCAID%7CNONE%7CvVersion%7C4.4.0%7CMCSYNCSOP%7C411-18272; s_cc=true; s_ecid=MCMID%7C49925485180746582551935600341652537949; AMCVS_097B467352782F130A490D45%40AdobeOrg=1; myaudi-csrf-token=9279a434-6f2f-477c-b1d7-c007b05b8b52; myaudi-teaser-hide-destination-inject=true; myaudi-session-data={}; myaudi-locale=de-DE; myaudi-cookie-policy=accepted
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Host: my.audi.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Safari/605.1.15
Accept-Language: en-us
Referer: https://identity.vwgroup.io/
Connection: keep-alive

Response
HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://pre-myaudi-service-appointment.audi.com,https://pre-myaudi-service-appointment1.audi.com
Content-Type: text/html;charset=utf-8
Content-Security-Policy: frame-ancestors 'none'
Content-Encoding: gzip
Set-Cookie: SMSESSION=eyJraWQiOiJkMzg2NWIxNzMwZDliMmQzIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiI0MTg3ODJjMS1lZGM5LTQ0ZWQtODg5ZC05MjA3ODJjMDA3NjQiLCJhdWQiOiJjN2MxNWU3Zi0xMzVjLTRiZDMtOTg3NS02MzgzODYxNjUwOWZAYXBwc192dy1kaWxhYl9jb20iLCJzY3AiOiJvcGVuaWQgcHJvZmlsZSBhZGRyZXNzIGJpcnRoZGF0ZSBiaXJ0aHBsYWNlIHBob25lIGJhZGdlIHZpbiBuYXRpb25hbElkZW50aWZpZXIgbmF0aW9uYWxpdHkgcHJvZmVzc2lvbiIsImFhdCI6ImlkZW50aXR5a2l0IiwiaXNzIjoiaHR0cHM6XC9cL2lkZW50aXR5LnZ3Z3JvdXAuaW8iLCJqdHQiOiJhY2Nlc3NfdG9rZW4iLCJleHAiOjE1OTkwMzMwMjcsImlhdCI6MTU5OTAyOTQyNywibGVlIjpbIkFVREkiXSwianRpIjoiYmMyNmUzNDMtMDgwYi00YzI1LTk0NzktOTM2OTMyYmMyY2U5In0.C72ThS-1I8uRzlmcHA8pGHHihcVyMzm3e0Ro5AwHXsAUmr_m0YyAiDnfARExKBfH9XCLSA1bb8zz0aZ09AYaZxdP8XnOqL8gzZIyf9GJBuKPjNJG_j9uGvw6BIHOucz35ka3nEbV8uODP2VNCZf29UeQX4o42WRu7i-Ck--zYoZsWPdu0h2lU70hpjAtjy8WgsSBteFTZhACYB8SwolYmfNAv8dk625Te7qlZop2wZL5AlfPqooH7kGf3382uEomS-jxcxXm_0W4DAM0n_AhuUcP5lV61GYGpwDDSyx1IXSKqL5a-PhEksWAnfTx4Kih0GKHyD-ekh32lfJHyWlPi5ZeNTW1Krk61qbAsLAK0nMEcdYP1x8s8vykwG5AekXheg6JOl2UQ41XM0jbVcqUXXkfVvL3uWQXGF1E7LsjxVAgvg_8FSKNxK7u2kwT6jrDnXVEzigSGDKOPcB8sIOg_S6fUFazBEkkG_LWeD0C54IO1TO8viHNrvnfM6ajC_-brHiXG2dqx-BGOPUCQYD-iwLK7AYDYElpVlF5oqKLQKqAbyOlY3t38t4eN1NzQfXYPzEDpD0suhx8oDc4dyyDqnzuRKqtEBw4-ODg-mZ3_WniY-iGOQUsnm_XHGFgF78sx2MbBQ09BgDQuddC6N0V4Cnk_NCKFdx9ZpXMziS2HNk; Domain=.audi.com; Path=/; HttpOnly; Secure
Set-Cookie: AKA_A2=A; expires=Wed, 02-Sep-2020 07:50:30 GMT; path=/; domain=audi.com; secure; HttpOnly
Transfer-Encoding: Identity
Link: <https://tms.audi.com>;rel="preconnect",<https://browser.my.audi.com>;rel="preconnect",<https://featureapps.audi.com>;rel="preconnect"
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Cache-Control: no-store, no-cache, must-revalidate
Date: Wed, 02 Sep 2020 06:50:30 GMT
Connection: keep-alive, Transfer-Encoding
ETag: W/"c4f5c-IM9BM4BfB/kRI1AK2b/3Gh7QR+Q"
Vary: Accept-Encoding
X-Frame-Options: deny
x-powered-by: Express
Server: Apache-Coyote/1.1
x-myaudi: m1
Strict-Transport-Security: max-age=31536000; includeSubDomains
x-envoy-upstream-service-time: 3196

I don't think this UI flow would help us much though.

from audiapi.

@sandermvanvliet could you share client credentials, id and secret with [email protected]? I've also tried proxying the web application but no luck. It seems to use some type of embedded server component and does requests to localhost:port?

from audiapi.

Once I have them I'll share them.

As far as MTIM'ing goes, I've tried with Fiddler but it seems to be doing HTTP CONNECTs and I haven't been able to successfully intercept the verification checks.

from audiapi.

I've taken water over my head right here i believe. I've managed to recompile the app, and set up an proxy, but can't figure out the certificate issues. It's using pinned certificate? Doesn't manage to login with proxy in place. And I don't know enough about http traffic, jons, tokens and id's :-S
But it seems the login is completely the same in app and on website, though.

from audiapi.

But it seems the login is completely the same in app and on website, though.

Doh: I've cut the website login flow now and its a horrible endless chain of redirects.

1. redirect flow starting at GET https://userinfo.my.audi.com/login/idk?ui_locales=de-DE
2. login flow starting at POST https://identity.vwgroup.io/signin-service/v1/c7c15e7f-135c-4bd3-9875-63838616509f@apps_vw-dilab_com/login/identifier with the email. It is using _csrf, relayState and hmac - not sure where these are coming from?
3. the flow from 2. redirects to https://userinfo.my.audi.com/login/redirect?state which returns a jwt token
4. following the redirects returns another jwt token with unknown encoding:

{
  "alg": "dir",
  "enc": "A256GCM"
}

I'm stumped...

UPDATE Seems that A256GCM requires a shared key to decode (https://github.com/dvsekhvalnov/jose2go#verifying-decoding-and-decompressing-tokens).

from audiapi.

I've got a gist ready that can decrypt the values out of smali\de\audi\onetouch\backend\Secrets.smali.smali (after unpacking with apktool), you can find it here: https://gist.github.com/sandermvanvliet/1e5c0143d5a7272105030139e927811f

from audiapi.

@sandermvanvliet the keyBytes is from the source or one of the API responses?

from audiapi.

One of the (intermediate) keys I'm receiving looks like eyJhbGciOiAiZGlyIiwgImVuYyI6ICJBMjU2R0NNIn0..UYVc-SIAHefJpf3E.h09S2MbP0_3HFa7NPmX4jrcuNr8R2avSKzI-. The .. looks strange for a jwt token?

from audiapi.

The actual content api seems to have changed to an ugly json-based query language:

POST https://userinfo.my.audi.com/bvh/v1

{
    "query": "\n    query ($id: String!, $country: String!, $language: String!, $requestId: String!) {\n      vehicleStatusReportWithWarnings (id: $id, country: $country, language: $language, requestId: $requestId){\n        vin\n
vehicleType\n        lastUpdated\n        engines {\n          type\n          range {\n            value\n            unit\n          }\n          filling {\n            value\n            unit\n          }\n          adBlueRange {\n
        value\n            unit\n          }\n          electric {\n            chargingState\n            chargingTime\n          }\n        }\n        totalRange {\n          value\n          unit\n        }\n        mileage {\n
  value\n          unit\n        }\n        oilLevel {\n          value\n          unit\n        }\n        service {\n          oilChange {\n            time {\n              value\n              unit\n            }\n           
distance {\n              value\n              unit\n            }\n          }\n          inspection {\n            time {\n              value\n              unit\n            }\n            distance {\n              value\n
  unit\n            }\n          }\n        }\n        messages {\n          key\n          value\n        }\n        vsrWarnings {\n          textId\n          pictureId\n          timestamp\n        }\n        stoWarnings {\n         
eventId\n          txtId\n          picId\n          criticality\n          timeOfOccurence\n        }\n      }\n    }\n  ",
    "variables": {
        "country": "DE",
        "id": "VmVo...",
        "language": "de",
        "requestId": "86931324"
    }
}

The id in this case is base64-encoded Vehicle:VIN

The request uses

x-myaudi-request-id:  47aa3eb9-...
x-csrf-token:         a698de7d-...

...but apparently no auth token.

from audiapi.

Supposedly the client id for the IDK endpoint should be NdeSOLIavPcLo520L1mg but doing a /token POST doesn't work yet...

from audiapi.

Ok it turns out that this is a key to a keychain in the app. Digging further

from audiapi.

Nice! Would you mind sharing the apk somewhere?

from audiapi.

Another note: step 8 also sometimes seems to return Location: myaudi:///?stat as token url.

from audiapi.

No worries. I must say that I haven't checked it and the implementation in C# I have here does some string interpolation so I didn't notice any problems as I use the same URLs that I was able to inspect.

Step 8 indeed sometimes directly returns the callback and not the "continue" step. Not sure why that happens though.

from audiapi.

I've managed an ugly rewrite of the flow in go for https://github.com/andig/evcc and will continue to polish it. Code will end up the mentioned repo.

from audiapi.

@sander could I kindly ask you to add one API request to the postman collection? It seems the API has changed as well and I'm unsure which of the tokens to use and how to access it.

from audiapi.

I've updated the login for the python api (testingbranch), but nevertheless the token can't be used to get for example associated vehicles with the account:

API error: {'errorCode': 'gw.error.authentication', 'description': 'Invalid Token'}

Either the endpoints for the API have been completely changed or we need another token for the different API endpoints.

@sandermvanvliet Can you maybe send me the apk via mail so I can further reverse engineer the api calls?

from audiapi.

Did you see #13 (comment)? I think the api has changed, too...

from audiapi.

Finally patched out all TLS pinning of the app for every rest client.. I'll update the python lib with the new calls

from audiapi.

@davidgiga1993 here's what I have sofar: https://github.com/andig/evcc/blob/9043a7ebe9f3003416cc4768362e804f17df6b44/vehicle/audi.go. I'm missing the final step of actually using the tokens.

from audiapi.

Can we learn anything from the vw guys ?
https://github.com/robinostlund/volkswagencarnet/blob/master/volkswagencarnet.py

from audiapi.

Sorry, have been super busy the past few days. I’ll attach what I have tomorrow (not at a laptop rn). Got a postman collection and the apk which should help.

I did notice most of the calls go to the VW connect APIs now so you’ll need the VW access token for that (last call in the postman collection I shared earlier)

from audiapi.

Please check the latest testing branch, the login is already fully working.
Only the car relevant API calls are missing since I don't have any audi licenses anymore...

from audiapi.

@davidgiga1993 I have Audi if you want to pm me at [email protected]

from audiapi.

User noticed one more thing. On first use, it seems the sign-in needs to acknowledge the terms of use:

/signin-service/v1/xxxxxxxx-xxxxxx-xxxxxxxx-xxxxxx
4da@apps_vw-dilab_com/terms-and-conditions?relayState=xxxxxxxxxxxxxxxxxxxxxxxxxxx&updatedTermsOfUse=true&updatedDataPrivacy=true": 
unsupported protocol scheme ""

In that case the redirect location looks different (see above). Unfortunately I couldn't diagnose further before user acknowledged using the app.

Does anyone know yet how to refresh the ID token?

from audiapi.

@andig that step indeed sometimes pops up, you'll need to check the Location header to see if it's needed (see Postman collection too).

Refreshing the tokens goes via the same endpoint as getting the access token only you need to use a different grant_type like so:

client_id=whatevs
grant_type=refresh_token
refresh_token=<the actual refresh token you got earlier>
response_type=token id_token

That'll give you a new id, access and refresh token in the response.

from audiapi.

This is a bit off-topic, but has anyone tried the same for the VW app? The user/password flow seems largely the same (https://github.com/robinostlund/volkswagencarnet/blob/master/volkswagencarnet.py for reference) but starts to differ where we post to https://app-api.my.audi.com/myaudiappidk/v1/token. I have trouble getting past this stage, any insight would be welcome.

from audiapi.

Again, please forgive me the OT response, but I've factored the common part of the VW and Audi vwidentity-based login flow into a go package. See evcc-io/evcc#361 if interested.

from audiapi.

Hi guys
Thanks for the infos here. I had implements a mmi service in 2018 and this had works until aug. 2020. Audi changed his api. Now i found this site and i try to refactored my service.
The email and password requests works fine.
But i have a problem with the id token request, the response statuscode is "bad request" by post httpclient https://app-api.my.audi.com/myaudiappidk/v1/token with data:
"client_id": CLIENT_ID,
"grant_type": "authorization_code",
"response_type": "token id_token",
"code": login_code,
"redirect_uri": "myaudi:///"
i dont know whats the problem. Have anyone idea whats the problem?
Thanks :)

from audiapi.

This works for me, similar to yours:

data := url.Values(map[string][]string{
	"client_id":     {"09b6cbec-cd19-4589-82fd-363dfa8c24da@apps_vw-dilab_com"},
	"grant_type":    {"authorization_code"},
	"code":          {code},
	"redirect_uri":  {"myaudi:///"},
	"response_type": {"token id_token"},
})

You'll need the url-encoding header, if in doubt please show the complete request.

from audiapi.

That's exactly what I use. Which header do you use?
The code of the redirect request is 1441 characters long. Is that correct?
As a hint i work in c#.

As a header I use:
("Accept", "application / json")
("X-App-Name", "myAudi")
("X-App-Version", "3.14.0")
("X-Market", "de_DE")
("User-Agent", "okhttp / 3.7.0")
and in addition I add
("referer", "https://identity.vwgroup.io/signin-service/v1/signin/{client_id}client_id}?{nameof(relayState)}={relayState}")

I upload this via httpclient as a post.

how do you transfer the data to your post request? As json or urlencoded string?

from audiapi.

Data and header need be url-encoded!

from audiapi.

url encoded or not, it doesn't work.
is the query given with data or just the url?

p.e. url with data query:
https://app-api.my.audi.com/myaudiappidk/v1/token?client_id%3d09b...a8c24da%40apps_vw-dilab_com&grant_type%3dauthorization_code&code%3de...bUThA&redirect_uri%3dmyaudi%3a%2f%2f%2f&response_type%3dtoken+id_token
or only url:
https://app-api.my.audi.com/myaudiappidk/v1/token

from audiapi.

url encoded or not, it doesn't work.

It does ;)

You'll need the url-encoding header, if in doubt please show the complete request.

@LionelJeans could you kindly just show your entire request? Data needs to go into the body. If I should guess you're using the wrong encoding method for your body and I don't see any = in your query example (which is wrong anyway since it's not in the body).

from audiapi.

Hi, i once attached a fiddler to my post request. I hope it helps. :)

and the result:

from audiapi.

@LionelJeans its wrong in about every dimension:

• header must be application/x-www-form-urlencoded
• data must go into body
• data must be form-encoded (client_id=....), you've killed the = signs
• headers should accept /

from audiapi.

yes thank you! :) form-url-encoded did it.
I had to rebuild the c # post request a bit. the direct assignment of form-url-encoded did not work. I had to use the "FormUrlEncodedContent" class. Now it's working. Many Thanks!

from audiapi.

hi, i have now started to implement this in python. Getting the user and password credentials works. I fail to get the code in the response header location. the redirects are apparently not carried out. do you have some useful tips for me? i oriented myself to the audiapi implementation. Thanks :)

from audiapi.

hi, i have now started to implement this in python. Getting the user and password credentials works. I fail to get the code in the response header location. the redirects are apparently not carried out. do you have some useful tips for me? i oriented myself to the audiapi implementation. Thanks :)

Take a look at the latest branch of this repo, the login is already implemented correctly

from audiapi.

ok your code is running. I don't understand what's the problem with mine. maybe it is due to the session of the request. Thank you

from audiapi.

hi, have you had problems with the audi api since yesterday? When the APPIDKTOKEN is called up, error 403 occurs in the api in the _handle_response method.

from audiapi.

VW uses "https://mbboauth-1d.prd.ece.vwg-connect.com/mbbcoauth/mobile/register/v1"instead of https://app-api.my.audi.com/myaudiappidk/v1/token, maybe we're seeing further steps of standardizing the VW/Audi APIs?

from audiapi.

i checked my old code from the beginning of the year. here have used link in the vw. I have now exchanged the audi for the vw link in the audi api. As a result, I get an error while decoding the response to json error 404. The response text by vw url is:

<!doctype html><title>HTTP Status 415 – Unsupported Media Type</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style>

HTTP Status 415 – Unsupported Media Type

Type Status Report

Description The origin server is refusing to service the request because the payload is in a format not supported by this method on the target resource.

Server Unknow/1.0.00

from audiapi.

Hi,
I also got stuck working to the openHAB integration. The WebUI uses client_id "c7c15e7f-135c-4bd3-9875-63838616509f@apps_vw-dilab_com".

I suppose that they block access to the App API from Web Apps ("forbidden_client"). If they use different client_id for different Apps it's easy to block/allow access to the token API per App.

The magic is to get the correct flow from the decompiled APK, but that's really tricky.

from audiapi.

@sandermvanvliet Do you know Frida? https://omespino.com/tutorial-universal-android-ssl-pinning-in-10-minutes-with-frida/ and FIRDA Gadget ?

from audiapi.

@markus7017 I stubbed out the certificate pinning directly and repackaged the APK.

from audiapi.

I can confirm the 403 Forbidden response on the token endpoint, I'm actually also seeing it from the app itself.
The iOS app on my phone did show an update, tried the login process there and that does work.
Going to check if there has been an update to the Android app to see if I can figure out what changed.

from audiapi.

That‘s funny- the iOS app is working for me while I‘m getting the 403 using the API manually at the same time.

from audiapi.

iOS App works for me, I would be really surprised if they activate a blocking change if the Apps are not ready for that for a long time. Did you tried the unmodified App?

from audiapi.

I figured out what changed. The token endpoint now expects a new header X-QMAuth which is a crypto hash of a bunch of time stamps.
Worked out how to create it and managed to retrieve a token again. It’s a bit annoying because you can forget about making postman calls.

from audiapi.

Could you please more insights, so we could work on implementation

from audiapi.

I found this, relates to the VW Car Net Auth, but looks very familar
descrption: https://github.com/thomasesmith/vw-car-net-api
implementation: https://github.com/thomasesmith/php-vw-car-net/blob/master/src/Authentication.php

from audiapi.

The header takes this format: v1:934928ef:7fe477d6ccc40d4be052d625b8a0fcebaab222df0bae7246631d7ec67f900451
Where v1 is static, 934928ef is some sort of client id and is also static. The last part is a HMAC-SHA256 hash of a timestamp and a time delta.
The time delta is obtained by first retrieving the OIDC configuration and using the value in the Date header and then subtracting this value from the current time. This will give you the delta in milliseconds.
The value that is hashed is (delta + current timestamp) / 100000.

The key that is used for the HMAC-SHA256 hash can be found in the APK, I won't share it here because I'm not sure that would be legal.

The good news is that this header is only used on the token endpoint and you won't need it on any of the others.

from audiapi.

Hope you can solve this problem!

from audiapi.

What @sandermvanvliet wrote is of course correct, but it seems can be simplified. The endpoint only needs a signed timestamp, rounded to 100s. Looks in go like this:

millis := time.Now().UnixNano() / 1e6
fmt.Printf("millis: %d\n", millis)

truncated := strconv.FormatInt(millis/1e5, 10)
fmt.Printf("truncated: %s\n", truncated)
_, err = mac.Write([]byte(truncated))

mac := hmac.New(sha256.New, secret)
hash := mac.Sum(nil)
fmt.Printf("hash: %0 x\n", hash)

hashString = fmt.Sprintf("v1:%s:%0x", clientIDAlias, hash)
fmt.Printf("header: %s\n", hashString)

The endpoint for obtaining the token has changed to https://app-api.my.audi.com/myaudiappidk/v1/emea/token.

from audiapi.

Sometimes it's much easier than we think, I'm back on track with a working token exchange and access to the API.
The magic: You need to replace response_type=code with response_type=token%20id_token in the OAuth start url and the process ends up providing id_token, access_token and expires_in in the resulting URL (instead of code=). This makes a call with X-QMAuth header obsolete and bypasses that hurdle!

Those are the supported auth types, also for Web-OAuth process:
"response_types_supported":[
"code",
"token",
"id_token",
"code token",
"code id_token",
"token id_token",
"code token id_token"
],

I suppose "response_type=code%20token%20id_token" will return all 3, but I don't if code is used for other things
For the stuff I implemented id_token and access_token are fine (+ security_token)

I also followed the VW CarNet description above and generate state and nonce values rather than using hard coded values. Now it looks like:

String clientId = "09b6cbec-cd19-4589-82fd-363dfa8c24da@apps_vw-dilab_com";
String urlClientId = urlEncode(clientId);
String state = UUID.randomUUID().toString();
String nonce = generateNonce();
Strong url = "https://identity.vwgroup.io/oidc/v1/authorize"
         + "?response_type=token%20id_token"
         + "&client_id=" + urlClientId
         + "&redirect_uri=myaudi%3A%2F%2F%2F"
         + "&scope=address%20profile%20badge%20birthdate%20birthplace%20nationalIdentifier%20nationality%20profession%20email%20vin%20phone%20nickname%20name%20picture%20mbb%20gallery%20openid"
         + "&state=" + state
         + "&nonce=" + nonce
         + "&prompt=login&ui_locales=de-DE%20de";

from audiapi.

Confirmed, why go for "code" when you can have "id_token" ;) It looks much more like the VW login now. The remaining difference is the exchange of the id token into an access token.

from audiapi.

The call with "token id_token" response-type does not work for me.
Do all other calls have to be made beforehand? Which calls have to be made before and after? so first the "code" call has to be carried out because the credentials are passed on there.
then the new call ...
can you describe that

from audiapi.

See https://github.com/andig/evcc/blob/master/vehicle/audi.go for the actual implementation

from audiapi.

I can also confirm that the new flow is working. See https://github.com/arjenvrh/audi_connect_ha/blob/master/custom_components/audiconnect/audi_services.py for a Python implementation

from audiapi.

so @arjenvrh , you gonna put a new version on HACS ?

from audiapi.

I confirm it is working also!

from audiapi.

I confirm it is working also

I can connect again, but with less entities...

from audiapi.

I confirm it is working also

I can connect again, but with less entities...

Yes, same here, only 2 entities in HA instead of like 15 like before...

I only have lock and model sensor

from audiapi.

Just 10 more entities after login. Removed integration and now 24 entities after login without pin and region ...

from audiapi.

Ok, gonna try later without pin and without region...
What region are you normally in? Also DE?

from audiapi.

Ok, gonna try later without pin and without region...
What region are you normally in? Also DE?

Yes "DE"

from audiapi.

Tried again, but still 2 entities, doesn't matter if I put in region or not...
But also installed the audi Android app, don't see any status there also anymore, like fuel tank, can only lock and unlock...

I see my warranty expired last week... I never had audi connect services before (paid edition) , maybe it's because of the warranty

from audiapi.

You might want to have the HA-related discussion in audiconnect/audi_connect_ha#48 (comment)?

from audiapi.

Is anybody aware of a 2nd authentication? I'm still try to figure out why the access to the climatization, trip data and statistics etc. is blocked even the car has a climator and the above auth has been performed. the operationList shows those services as enabled and with a valid license, but also lists "id":"requestExtAuthV200" under rolesrights_authorization_v2. Maybe climater and pre-heater are one unit, but no access to trip_statistic_v1 (result 403).
Does anybody know if there is a 2nd level of authentication? I also tried to add climatization to the scope (as listed as supported value in OIDC config)

from audiapi.

@andig and all of you. After we got the login working I'm struggeling with token refresh.
I made sure that headers and URL are ok and also us form-encoded body, but I get the same error we had before with the login (fforbidden_client). Does anybody has this working? Maybe it also requires the XQMAuth header or does someone know if Web-based OAth could also be used for that?

from audiapi.

@markus7017 would you like to show your request? You don't need the XQMAuth request/header at all if you directly request the id_token instead of the code. Refreshing looks like this for me, POST body is url-encoded:

headers := map[string]string{
	"Content-Type": "application/x-www-form-urlencoded",
	"X-Client-Id":  v.clientID,
}

data := url.Values(map[string][]string{
	"grant_type":    {"refresh_token"},
	"refresh_token": {v.tokens.RefreshToken},
	"scope":         {"sc2:fal"},
})

from audiapi.

Hi @andig ,

this is the request:

POST https://app-api.my.audi.com/myaudiappidk/v1/emea/token
Data: grant_type=refresh_token+refresh_token=eyJ0eXAiOiJKV1QiL...+scope=sc2%3Afal
headers: 
Accept-Encoding: gzip
User-Agent: okhttp/3.7.0
Content-Type: application/x-www-form-urlencoded
X-Client-Id: 77869e21-e30a-4a92-b016-48ab7d3db1d8
Content-Length: 1235

and response

{"error":"forbidden_client","error_description":"Access forbidden"}
Headers: Content-Encoding: gzip
Content-Type: application/json;charset=UTF-8
Server: Audi
Strict-Transport-Security: max-age=31536000; includeSubDomains
x-envoy-upstream-service-time: 1
Content-Length: 76
Date: Thu, 05 Nov 2020 20:01:30 GMT
Connection: close
Vary: Accept-Encoding
x-myaudi: m2

A POST to https://id.audi.com/v1/token provides the same result.

Are you sending

• data as URL parameters
• form data in the body
• JSON data in the body?

Which token do you use as refresh_token, the one returned for id_token, audi token or vw token?

from audiapi.

Just from a glance: your body encoding looks broken. Must be &refreshtoken... not +! Not url-encoded it is ;)

from audiapi.

Now I get

POST https://id.audi.com/v1/token
Data: grant_type=refresh_token&refresh_token=eyJraWQiOiJN...&scope=sc2:fal
Headers: Accept-Encoding: gzip
User-Agent: okhttp/3.7.0
Accept: application/json
Content-Type: application/x-www-form-urlencoded
X-App-Name: myAudi
X-App-Version: 3.14.0
X-Client-Id: 09b6cbec-cd19-4589-82fd-363dfa8c24da@apps_vw-dilab_com
Content-Length: 786


HTTP Response: {"error":"invalid_client","error_description":"Bad client credentials"}
 Headers: Date: Thu, 05 Nov 2020 22:12:36 GMT
Server: unknown/1.0.0
X-Myaudi-Request-Id: 242_IDSSO:f3626241-70e5-42e0-8eb6-b6a29172c69b
Access-Control-Allow-Origin: *
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Cache-Control: no-store
Pragma: no-cache
WWW-Authenticate: Form realm="oauth", error="invalid_client", error_description="Bad client credentials"
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked

URL correct?
Audi Token or VW Token?
Is the X-ClientId correct?

from audiapi.

I'm not sure what's going on. I'm getting the Audi access token from https://mbboauth-1d.prd.ece.vwg-connect.com/mbbcoauth/mobile/oauth2/.... https://id.audi.com/v1/token is not part of the flow I'm using. The refresh token comes from the same endpoint. See https://github.com/andig/evcc/blob/master/vehicle/audi.go#L86 for the flow.

from audiapi.

No I get a HTTP 500 - grrr

HTTP POST https://mbboauth-1d.prd.ece.vwg-connect.com/mbbcoauth/mobile/oauth2/v1/token
Data:
grant_type=refresh_token&refresh_token=eyJ0eXAiO...&scope=sc2:fal
Headers: 
Accept-Encoding: gzip
User-Agent: Jetty/9.4.20.v20190813
X-Client-Id: 77869e21-e30a-4a92-b016-48ab7d3db1d8
X-App-Name: myAudi
X-App-Version: 3.14.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 1233

Do we want to chat 1:1 My e-mail is [email protected]

from audiapi.

Chattet with @markus7017 the other day.

I've just had the following case popup with an A6 TFSIe:

GET https://msg.volkswagen.de/fs-car/usermanagement/users/v1/Audi/DE/vehicles
200 OK

GET https://msg.volkswagen.de/fs-car/bs/batterycharge/v1/Audi/DE/vehicles/WAUZZZ..../charger
403 Forbidden

{"error":{"errorCode":"batterycharge.auth.forbidden","description":"The context was invalid, 
deduced from the fact that there are no security requirements for the combination of service, 
operation and channel stored in MBB R&R."}}

Apparently there are no permissions for the battery API for that VIN. Has anybody experienced similar?

/cc @sandermvanvliet

from audiapi.