Thema "Re: Step 2: Authorization code exchange ==> invalid-token-request" in Getting started programming with the Viessmann API

Step 2: Authorization code exchange ==> invalid-token-request

Kevinski — Wed, 13 Apr 2022 11:08:32 GMT

Hello,

So I'm new here and trying to use the API so created a client id in the Developer Portal and a code chalenge/verifier using th github tool in the doc.

client id : xxx

url : yyy

code challenge : zzz

code verif : aaa

I accessed the url with a browser :

https://iam.viessmann.com/idp/v2/authorize?client_id=xxx&redirect_uri=http://yyy&response_type=code&code_challenge=zzz&scope=IoT%20User

Then got the code from the redirect url

code : bbb

curl -X POST "https://iam.viessmann.com/idp/v2/token" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=authorization_code&client_id=xxx&redirect_uri=http://yyy&code_verifier=aaa&code=bbb"

btw, I also tried with postman instead of curl.

and everytime I get :

{

"error": "invalid-token-request"

}

I'm open for any idea about what I'm doing wrong !

Thanks in advance !

Re: Step 2: Authorization code exchange ==> invalid-token-request

MichaelHanna — Wed, 13 Apr 2022 11:35:45 GMT

Hi @Kevinski ,

I am happy to hear that you want to tryout our API! I am happy to support you.

One thing I noticed in your description is that for the parameters of your client, you define "yyy" as the redirect URI. When looking at your request for the 2nd step of the authorization, the redirect URI in the URL is "http://yyy". Have you also put the "http://" in the definition of the redirect URI for the client? I assume this is the case, but would like to make this sure because it could be misunderstood based on what you wrote.

Also, please try to execute the 1st step in an incognito window. This could also help.

Lastly, you could try the code challenge / verifier combination from the example given in the documentation.

Let me know if this helps.

Best regards,

Michael

Re: Step 2: Authorization code exchange ==> invalid-token-request

Kevinski — Wed, 13 Apr 2022 11:42:45 GMT

Hello Michael,

Thanks for you quick reply.

The url used in the actual api url is correct. Let's just say the url variable in that "code" is url : sub.domain.tld

so in the query it's actually http://sub.domain.tld

I'll try to execute step 1 in incognito and let you know !

Re: Step 2: Authorization code exchange ==> invalid-token-request

Kevinski — Wed, 13 Apr 2022 11:50:33 GMT

I tried in Incognito and it does not work.

Also I noticed something weird when trying your 3rd solution : the code_verifier and code_challenge values are the same in the doc (cf attachment)

Re: Step 2: Authorization code exchange ==> invalid-token-request

MichaelHanna — Wed, 13 Apr 2022 12:34:44 GMT

Sorry if I have to ask again. For the definiton of the client within the Developer Portal, have you put "http://sub.domain.tld" as Redirect URI? If you have just put "sub.domain.tld" there, then it would not work.

For the code verifier / challenge, we used the same in the example, which is working but might not always be recommended. However, I just wanted to exclude potential error sources during the testing so that you get a first authorization successfully done 🙂

Re: Step 2: Authorization code exchange ==> invalid-token-request

Kevinski — Wed, 13 Apr 2022 12:58:32 GMT

Michael,

Here are the actual urls used in my last test (i also tried with an actual domain name i own) :

step 1:

https://iam.viessmann.com/idp/v2/authorize?client_id=xxxxx&redirect_uri=http://127.0.0.1:5555/&response_type=code&code_challenge=xxxxxxx&scope=IoT%20User

step 2:

curl -X POST "https://iam.viessmann.com/idp/v2/token" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=authorization_code&client_id=xxxxxxxx&redirect_uri=http://127.0.0.1:5555/&code_verifier=xxxxxxxxx&code=xxxxxxxxxx"

Edit : I also tried with the code verifier / challenge provided in the doc, no luck 😕

Edit2 : Tried to delete and recreate a client with a different client id in the Developer Portal... still no luck

Re: Step 2: Authorization code exchange ==> invalid-token-request

MichaelHanna — Wed, 13 Apr 2022 16:01:49 GMT

Could you please tryout in Postman to see if it works for you? Here is a collection you can use as a template for the requests (it is not possible to upload a .json file here, so please copy the text into a textfile and change the file format to .json)

Let me know if it works for you. Otherwise I am happy to send you the Postman collection via mail.

{
"info": {
"_postman_id": "64e6ad3a-b1dd-4fef-995b-a23972fc3fab",
"name": "VIessmann API - Authentication",
"description": "This is a Postman collection for the Viessmann API. It contains the following section:\n\n* Authentication\n \n\nFor general steps to get started, please go to the API documentation page 'getting started': [https://documentation.viessmann.com/static/get-started](https://documentation.viessmann.com/static/get-started)",
"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json"
},
"item": [
{
"name": "Authorization request",
"request": {
"method": "GET",
"header": [
{
"key": "Content-Type",
"name": "Content-Type",
"value": "application/x-www-form-urlencoded",
"type": "text"
}
],
"url": {
"raw": "https://iam.viessmann.com/idp/v2/authorize?client_id={{client_id}}&redirect_uri=http://localhost:4200/&response_type=code&code_challenge={{code_challenge}}&scope=IoT User offline_access",
"protocol": "https",
"host": [
"iam",
"viessmann",
"com"
],
"path": [
"idp",
"v2",
"authorize"
],
"query": [
{
"key": "client_id",
"value": "{{client_id}}"
},
{
"key": "redirect_uri",
"value": "http://localhost:4200/"
},
{
"key": "response_type",
"value": "code"
},
{
"key": "code_challenge",
"value": "{{code_challenge}}"
},
{
"key": "scope",
"value": "IoT User offline_access"
}
]
},
"description": "The /authorize endpoint of our IAM platform is used to request an authorization code."
},
"response": []
},
{
"name": "Authorization code exchange",
"request": {
"method": "POST",
"header": [
{
"key": "Content-Type",
"name": "Content-Type",
"value": "application/x-www-form-urlencoded",
"type": "text"
}
],
"body": {
"mode": "urlencoded",
"urlencoded": []
},
"url": {
"raw": "https://iam.viessmann.com/idp/v2/token?grant_type=authorization_code&client_id={{client_id}}&redirect_uri=http://localhost:4200/&code_verifier={{code_challenge}}&code={{code}}",
"protocol": "https",
"host": [
"iam",
"viessmann",
"com"
],
"path": [
"idp",
"v2",
"token"
],
"query": [
{
"key": "grant_type",
"value": "authorization_code"
},
{
"key": "client_id",
"value": "{{client_id}}"
},
{
"key": "redirect_uri",
"value": "http://localhost:4200/"
},
{
"key": "code_verifier",
"value": "{{code_challenge}}"
},
{
"key": "code",
"value": "{{code}}"
}
]
},
"description": "With the authorization code you can request an access token."
},
"response": []
},
{
"name": "Authorization code exchange - with Refresh Token",
"request": {
"method": "POST",
"header": [
{
"key": "Content-Type",
"name": "Content-Type",
"value": "application/x-www-form-urlencoded",
"type": "text"
}
],
"body": {
"mode": "urlencoded",
"urlencoded": []
},
"url": {
"raw": "https://iam.viessmann.com/idp/v2/token?client_id={{client_id}}&grant_type=refresh_token&refresh_token={{refresh_token}}",
"protocol": "https",
"host": [
"iam",
"viessmann",
"com"
],
"path": [
"idp",
"v2",
"token"
],
"query": [
{
"key": "client_id",
"value": "{{client_id}}"
},
{
"key": "grant_type",
"value": "refresh_token"
},
{
"key": "refresh_token",
"value": "{{refresh_token}}"
}
]
},
"description": "With the authorization code you can request an access token."
},
"response": []
}
],
"event": [
{
"listen": "prerequest",
"script": {
"type": "text/javascript",
"exec": [
""
]
}
},
{
"listen": "test",
"script": {
"type": "text/javascript",
"exec": [
""
]
}
}
]
}

Re: Step 2: Authorization code exchange ==> invalid-token-request

Kevinski — Wed, 13 Apr 2022 19:46:08 GMT

Thank you for your time Michael, unfortunately it does not work.

If you're ok with that I could send you a private message with a detailed screenshot with visible client id and such ?

Betreff: Step 2: Authorization code exchange ==> invalid-token-request

bg24 — Wed, 13 Apr 2022 20:51:24 GMT

I'm facing exact the idential issue. Using Postmaster or curl command, I always get

{
"error": "invalid-token-request"
}

Here is the url request for reference:

https://iam.viessmann.com/idp/v2/token?

client_id= ....verified as per my account

redirect_uri=http://localhost:4200/

grant_type=authorization_code

code_verifier=2e21faa1-db2c-4d0b-a10f-575fd372bc8c-575fd372bc8c

code= xxxx that's the code I received from step 1

Need to take a brake now to reflect...

Re: Step 2: Authorization code exchange ==> invalid-token-request

MichaelHanna — Thu, 14 Apr 2022 05:59:13 GMT

@Kevinski sure you can send me the information via direct message.

Also, when you get the error in step 2, please immediately try again, starting from step 1. Let me know if second (or third) attempt works for you.

Re: Step 2: Authorization code exchange ==> invalid-token-request

Kevinski — Thu, 14 Apr 2022 06:48:14 GMT

@MichaelHanna Thanks for your answer, I tried 3 times in a row (getting a new code each time) and still the same issue.

I tried a 4th time changing code challenge / verif to 2e21faa1-db2c-4d0b-a10f-575fd372bc8c-575fd372bc8c and it worked... once

I tried a 5th,6th, 7th time with "IoT User offline_access" instead of "IoT User" for the scope and no more luck...(changing the code in step 2 each time with the one i got in step 1)

Not sure what is wrong but something's not right somewhere 😕

Re: Step 2: Authorization code exchange ==> invalid-token-request

MichaelHanna — Thu, 14 Apr 2022 06:53:31 GMT

Thanks for your additional attempts. I will check with out IT to have a closer look why the authorization attempts fail. I will let you know when I get an answer on this.

Also, happy to receive your screenshot and the complete requests you are executing.

Re: Step 2: Authorization code exchange ==> invalid-token-request

Kevinski — Thu, 14 Apr 2022 07:04:54 GMT

Michael,

I just sent you a pm with the complete requests.

Thanks for your time !

Betreff: Step 2: Authorization code exchange ==> invalid-token-request

VLaubsch — Sun, 17 Apr 2022 10:19:25 GMT

Hello, I have the same problem. I'm currently trying out the API and failing at authentication in the second step with "error": "invalid-token-request". I've tried curl and postman. No matter what I do, I always get this error.

Authorization request works fine:

https://iam.viessmann.com/idp/v2/authorize?client_id={ID_FROM_DASHBOARD}&redirect_uri=http://localhost:4200/&response_type=code&code_challenge=2e21faa1-db2c-4d0b-a10f-575fd372bc8c-575fd372bc8c&scope=IoT User offline_access

Authorization code request fails:

https://iam.viessmann.com/idp/v2/token?grant_type=authorization_code&client_id={ID_FROM_DASHBOARD}&redirect_uri=http://localhost:4200&code_verifier=2e21faa1-db2c-4d0b-a10f-575fd372bc8c-575fd372bc8c&code={CODE_FROM_FIRST_AUTHORIZATION_REQUEST}

*{} are placeholder for the values/codes

Can you check your system function please or am I doing something wrong?

Thanks

Re: Betreff: Step 2: Authorization code exchange ==> invalid-token-request

MichaelHanna — Tue, 19 Apr 2022 07:54:37 GMT

I got the information that the expiration time of the code in step 1 is set to 20 seconds due to security reasons. This means to obtain a refresh token / access token, step 2 must be executed below 20 seconds after code creation.

@VLaubsch please check if this works for you. @Kevinski already confirmed that this worked. 🙂

Best regards,

Michael

Re: Step 2: Authorization code exchange ==> invalid-token-request

Kevinski — Tue, 19 Apr 2022 08:03:30 GMT

Michael Helped a lot with the issue and he found out that they recently changed the TTL for the step 1 code to 20 seconds.

Authentification must then be done with a script in order to be fast enough.

Here's an example providing that you can setup a local apache server on port 4200 or add another valid "Redirect URI" of your choice to the API client.

index.php file accessible at http://localhost:4200

<?php

$clientid='xxx'; //your actual client id

$code_verif='2e21faa1-db2c-4d0b-a10f-575fd372bc8c-575fd372bc8c'; //viessmann's working code verif example

$url = 'https://iam.viessmann.com/idp/v2/token';

$data = array(

'grant_type'=>'authorization_code',

'client_id'=>$clientid,

'redirect_uri' => 'http://localhost:4200/',

'code_verifier' => $code_verif,

'code'=>$_GET['code']);

$options = array(

'http' => array(

'header' => "Content-type: application/x-www-form-urlencoded\r\n",

'method' => 'POST',

'content' => http_build_query($data)

)

);

$context = stream_context_create($options);

$result = file_get_contents($url, false, $context);

var_dump($result);

After that just call https://iam.viessmann.com/idp/v2/authorize?client_id=###your actual client id###&redirect_uri=http://localhost:4200/&response_type=code&code_challenge=2e21faa1-db2c-4d0b-a10f-575fd372bc8c-575fd372bc8c&scope=IoT User offline_access

from a browser (don't forget to change ###your actual client id### to the correct value, the code_challenge value is the one from viessmann's example (a working one).

After you log in with your viessmann account it'll redirect to your localhost:4200 script and get you the step 2 access and refresh token.

Hope it helps 🙂

Re: Step 2: Authorization code exchange ==> invalid-token-request

sbtnk — Wed, 27 Apr 2022 19:03:24 GMT

Hello

My integration works well till 13.04.2022 21:00, request to API since 21:15 failed with error invalid-token-request

No changes in my integration.

I tried to refresh token manually (Step 1) for few times but result still the same.

My integration have requests (step 1 and step 2) exactly as described here. Everything the same and previously the same requests works correctly.

I also do step 2 quickly (about 10 seconds) after step 1.

I am lost.

Any ideas please?

Betreff: Step 2: Authorization code exchange ==> invalid-token-request

ArrowX — Sun, 28 Aug 2022 08:57:06 GMT

I am having exactly the same troubles as @sbtnk . Is there any solution?

Betreff: Step 2: Authorization code exchange ==> invalid-token-request

cb1000r — Mon, 29 Aug 2022 09:36:37 GMT

Since yesterday morning I have the same problem. My integration worked for several months. If I remember correctly there was some viessmann maintenance work during the weekend. Maybe they have changed the authentication...!?

Re: Step 2: Authorization code exchange ==> invalid-token-request

MichaelHanna — Tue, 30 Aug 2022 08:00:12 GMT

Hi everyone, the maintenance work on the weekend did not change anything on the authentication for the API.

In general, refresh tokens have a lifetime (TTL) of 180 days.

For creating a new refresh/access token, you can try and use the following postman collection, which contains the relevant API calls: https://www.postman.com/vimicho/workspace/viessmann-api-public/collection/12055031-17157e90-a2e8-47b6-a7b8-2320c2941db3?action=share&creator=12055031

Please make sure, like @sbtnk mentioned, that the code received in Step1 is only valid for 20 seconds, which means you have to execute Step2 of the authentication within those 20 seconds.

If the problem still occurs, please let me know here once more.

Best,

Michael