https://community.viessmann.de/t5/Getting-started-programming-with/refreshtoken-w-o-access-token-security/m-p/186887#M68 <P>Hello,</P><P>&nbsp;</P><P>I just tried to get started with the API.</P><P>I still hang at the auth process and don't understand why I can do this:</P><P>curl -X POST "<A href="https://iam.viessmann.com/idp/v2/token" target="_blank">https://iam.viessmann.com/idp/v2/token</A>" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=refresh_token&amp;client_id=&lt;client_id&gt;&amp;refresh_token=&lt;refresh_token&gt;"</P><P>&nbsp;</P><P>When looking up the API of my wallbox: <A href="https://api.easee.cloud/index.html" target="_blank">https://api.easee.cloud/index.html</A></P><P>I have to provide the access token AND the refresh token to get a new token and I have to make an authenticated call.</P><P>&nbsp;</P><P>For viessmann, I just need the client id and the former refresh token to get a new access token.</P><P>&nbsp;</P><P>I suggest to improve this and make it more secure, by ALWAYS require the access token AND the Bearer authentication when doing a refresh.</P><P>&nbsp;</P><P>This is much harder to hack, than this simple way.</P><P>&nbsp;</P><P>Regards</P> Sat, 18 Sep 2021 16:19:44 GMT ul0815 2021-09-18T16:19:44Z https://community.viessmann.de/t5/Getting-started-programming-with/refreshtoken-w-o-access-token-security/m-p/186887#M68 <P>Hello,</P><P>&nbsp;</P><P>I just tried to get started with the API.</P><P>I still hang at the auth process and don't understand why I can do this:</P><P>curl -X POST "<A href="https://iam.viessmann.com/idp/v2/token" target="_blank">https://iam.viessmann.com/idp/v2/token</A>" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=refresh_token&amp;client_id=&lt;client_id&gt;&amp;refresh_token=&lt;refresh_token&gt;"</P><P>&nbsp;</P><P>When looking up the API of my wallbox: <A href="https://api.easee.cloud/index.html" target="_blank">https://api.easee.cloud/index.html</A></P><P>I have to provide the access token AND the refresh token to get a new token and I have to make an authenticated call.</P><P>&nbsp;</P><P>For viessmann, I just need the client id and the former refresh token to get a new access token.</P><P>&nbsp;</P><P>I suggest to improve this and make it more secure, by ALWAYS require the access token AND the Bearer authentication when doing a refresh.</P><P>&nbsp;</P><P>This is much harder to hack, than this simple way.</P><P>&nbsp;</P><P>Regards</P> Sat, 18 Sep 2021 16:19:44 GMT https://community.viessmann.de/t5/Getting-started-programming-with/refreshtoken-w-o-access-token-security/m-p/186887#M68 ul0815 2021-09-18T16:19:44Z https://community.viessmann.de/t5/Getting-started-programming-with/refreshtoken-w-o-access-token-security/m-p/187857#M71 <P>Hi <a href="https://community.viessmann.de/t5/user/viewprofilepage/user-id/40588">@ul0815</a> ,</P> <P>&nbsp;</P> <P>Thank you for your feedback!</P> <P>&nbsp;</P> <P>Our authentication process is&nbsp;compliant to the OAuth 2.0 authorization framework as well as OpenID Connect (Core) specification.&nbsp;Both define the refresh_token request in a consistent way where the among other parameters only the refresh_token needs to be included in the request. The access_token is not required, see:<BR /> <A href="https://openid.net/specs/openid-connect-core-1_0.html#RefreshingAccessToken" target="_blank">https://openid.net/specs/openid-connect-core-1_0.html#RefreshingAccessToken</A><BR /> <A href="https://datatracker.ietf.org/doc/html/rfc6749#section-6" target="_blank">https://datatracker.ietf.org/doc/html/rfc6749#section-6</A></P> <P>&nbsp;</P> <P>Best,</P> <P>&nbsp;</P> <P>Michael</P> Mon, 27 Sep 2021 11:28:12 GMT https://community.viessmann.de/t5/Getting-started-programming-with/refreshtoken-w-o-access-token-security/m-p/187857#M71 CustomerCareMichael 2021-09-27T11:28:12Z