abbrechen
Suchergebnisse werden angezeigt für 
Anzeigen  nur  | Stattdessen suchen nach 
Meintest du: 
Beantwortet! Gehe zur Lösung.

Step 2: Authorization code exchange ==> invalid-token-request

Hello,

 

 

So I'm new here and trying to use the API so created a client id in the Developer Portal and a code chalenge/verifier using th github tool in the doc.

 

client id : xxx

url : yyy

code challenge : zzz

code verif : aaa

 

I accessed the url with a browser :

 
 
Then got the code from the redirect url
code : bbb
 
curl -X POST "https://iam.viessmann.com/idp/v2/token" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=authorization_code&client_id=xxx&redirect_uri=http://yyy&code_verifier=aaa&code=bbb"
 
btw, I also tried with postman instead of curl.
 
and everytime I get :
{
    "error""invalid-token-request"
}
 
I'm open for any idea about what I'm doing wrong !
 
Thanks in advance !
 
 
2 AKZEPTIERTE LÖSUNGEN

Akzeptierte Lösungen

I got the information that the expiration time of the code in step 1 is set to 20 seconds due to security reasons. This means to obtain a refresh token / access token, step 2 must be executed below 20 seconds after code creation.

@VLaubsch please check if this works for you. @Kevinski already confirmed that this worked. 🙂

Best regards,

Michael

Lösung in ursprünglichem Beitrag anzeigen

Michael Helped a lot with the issue and he found out that they recently changed the TTL for the step 1 code to 20 seconds.

 

Authentification must then be done with a script in order to be fast enough.

 

Here's an example providing that you can setup a local apache server on port 4200 or add another valid "Redirect URI" of your choice to the API client.

 

 

 

index.php file accessible at http://localhost:4200 

 

<?php

$clientid='xxx'; //your actual client id
$code_verif='2e21faa1-db2c-4d0b-a10f-575fd372bc8c-575fd372bc8c'; //viessmann's working code verif example


$data = array(
'grant_type'=>'authorization_code',
'client_id'=>$clientid,
'redirect_uri' => 'http://localhost:4200/',
'code_verifier' => $code_verif,
'code'=>$_GET['code']);


$options = array(
    'http' => array(
        'header'  => "Content-type: application/x-www-form-urlencoded\r\n",
        'method'  => 'POST',
        'content' => http_build_query($data)
    )
);
$context  = stream_context_create($options);
$result = file_get_contents($url, false, $context);


var_dump($result);


?>
 
 
 
 
from a browser (don't forget to change  ###your actual client id### to the correct value, the code_challenge value is the one from viessmann's example (a working one).
 
After you log in with your viessmann account it'll redirect to your localhost:4200 script and get you the step 2 access and refresh token.
 
Hope it helps 🙂

Lösung in ursprünglichem Beitrag anzeigen

35 ANTWORTEN 35

Hi @Kevinski ,

 

I am happy to hear that you want to tryout our API! I am happy to support you.

 

One thing I noticed in your description is that for the parameters of your client, you define "yyy" as the redirect URI. When looking at your request for the 2nd step of the authorization, the redirect URI in the URL is "http://yyy". Have you also put the "http://" in the definition of the redirect URI for the client? I assume this is the case, but would like to make this sure because it could be misunderstood based on what you wrote.

 

Also, please try to execute the 1st step in an incognito window. This could also help.

 

Lastly, you could try the code challenge / verifier combination from the example given in the documentation.

 

Let me know if this helps.

 

Best regards,

 

Michael

Hello Michael,

 

Thanks for you quick reply.

 

The url used in the actual api url is correct. Let's just say the url variable in that "code" is url : sub.domain.tld

so in the query it's actually http://sub.domain.tld

 

I'll try to execute step 1 in incognito and let you know !

 

 

I tried in Incognito and it does not work.

 

Also I noticed something weird when trying your 3rd solution : the code_verifier and code_challenge values are the same in the doc (cf attachment)

Sans titre.png

Sorry if I have to ask again. For the definiton of the client within the Developer Portal, have you put "http://sub.domain.tld" as Redirect URI? If you have just put "sub.domain.tld" there, then it would not work.

 

For the code verifier / challenge, we used the same in the example, which is working but might not always be recommended. However, I just wanted to exclude potential error sources during the testing so that you get a first authorization successfully done 🙂

Michael,

 

Here are the actual urls used in my last test (i also tried with an actual domain name i own) :

 

step 1:

 

https://iam.viessmann.com/idp/v2/authorize?client_id=xxxxx&redirect_uri=http://127.0.0.1:5555/&respo...

 

 

step 2:

 

curl -X POST "https://iam.viessmann.com/idp/v2/token" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=authorization_code&client_id=xxxxxxxx&redirect_uri=http://127.0.0.1:5555/&code_verifier=xxxxxxxxx&code=xxxxxxxxxx"


 


 
Edit : I also tried with the code verifier / challenge provided in the doc, no luck 😕
 
Edit2 : Tried to delete and recreate a client with a different client id in the Developer Portal... still no luck

Could you please tryout in Postman to see if it works for you? Here is a collection you can use as a template for the requests (it is not possible to upload a .json file here, so please copy the text into a textfile and change the file format to .json)

 

Let me know if it works for you. Otherwise I am happy to send you the Postman collection via mail.

 

{
"info": {
 "_postman_id": "64e6ad3a-b1dd-4fef-995b-a23972fc3fab",
 "name": "VIessmann API - Authentication",
 "description": "This is a Postman collection for the Viessmann API. It contains the following section:\n\n*   Authentication\n    \n\nFor general steps to get started, please go to the API documentation page 'getting started': [https://documentation.viessmann.com/static/get-started](https://documentation.viessmann.com/static/g...)",
 "schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json"
},
"item": [
 {
  "name": "Authorization request",
  "request": {
   "method": "GET",
   "header": [
    {
     "key": "Content-Type",
     "name": "Content-Type",
     "value": "application/x-www-form-urlencoded",
     "type": "text"
    }
   ],
   "url": {
    "raw": "https://iam.viessmann.com/idp/v2/authorize?client_id={{client_id}}&redirect_uri=http://localhost:420... User offline_access",
    "protocol": "https",
    "host": [
     "iam",
     "viessmann",
     "com"
    ],
    "path": [
     "idp",
     "v2",
     "authorize"
    ],
    "query": [
     {
      "key": "client_id",
      "value": "{{client_id}}"
     },
     {
      "key": "redirect_uri",
      "value": "http://localhost:4200/"
     },
     {
      "key": "response_type",
      "value": "code"
     },
     {
      "key": "code_challenge",
      "value": "{{code_challenge}}"
     },
     {
      "key": "scope",
      "value": "IoT User offline_access"
     }
    ]
   },
   "description": "The /authorize endpoint of our IAM platform is used to request an authorization code."
  },
  "response": []
 },
 {
  "name": "Authorization code exchange",
  "request": {
   "method": "POST",
   "header": [
    {
     "key": "Content-Type",
     "name": "Content-Type",
     "value": "application/x-www-form-urlencoded",
     "type": "text"
    }
   ],
   "body": {
    "mode": "urlencoded",
    "urlencoded": []
   },
   "url": {
    "raw": "https://iam.viessmann.com/idp/v2/token?grant_type=authorization_code&client_id={{client_id}}&redirec...}}",
    "protocol": "https",
    "host": [
     "iam",
     "viessmann",
     "com"
    ],
    "path": [
     "idp",
     "v2",
     "token"
    ],
    "query": [
     {
      "key": "grant_type",
      "value": "authorization_code"
     },
     {
      "key": "client_id",
      "value": "{{client_id}}"
     },
     {
      "key": "redirect_uri",
      "value": "http://localhost:4200/"
     },
     {
      "key": "code_verifier",
      "value": "{{code_challenge}}"
     },
     {
      "key": "code",
      "value": "{{code}}"
     }
    ]
   },
   "description": "With the authorization code you can request an access token."
  },
  "response": []
 },
 {
  "name": "Authorization code exchange - with Refresh Token",
  "request": {
   "method": "POST",
   "header": [
    {
     "key": "Content-Type",
     "name": "Content-Type",
     "value": "application/x-www-form-urlencoded",
     "type": "text"
    }
   ],
   "body": {
    "mode": "urlencoded",
    "urlencoded": []
   },
   "url": {
    "raw": "https://iam.viessmann.com/idp/v2/token?client_id={{client_id}}&grant_type=refresh_token&refresh_toke...}}",
    "protocol": "https",
    "host": [
     "iam",
     "viessmann",
     "com"
    ],
    "path": [
     "idp",
     "v2",
     "token"
    ],
    "query": [
     {
      "key": "client_id",
      "value": "{{client_id}}"
     },
     {
      "key": "grant_type",
      "value": "refresh_token"
     },
     {
      "key": "refresh_token",
      "value": "{{refresh_token}}"
     }
    ]
   },
   "description": "With the authorization code you can request an access token."
  },
  "response": []
 }
],
"event": [
 {
  "listen": "prerequest",
  "script": {
   "type": "text/javascript",
   "exec": [
    ""
   ]
  }
 },
 {
  "listen": "test",
  "script": {
   "type": "text/javascript",
   "exec": [
    ""
   ]
  }
 }
]
}

 

Thank you for your time Michael, unfortunately it does not work.

 

If you're ok with that I could send you a private message with a detailed screenshot with visible client id and such ?

 

I'm facing exact the idential issue. Using Postmaster or curl command, I always get 

{
"error": "invalid-token-request"
}

Here is the url request for reference:

https://iam.viessmann.com/idp/v2/token?

client_id= ....verified as per my account

redirect_uri=http://localhost:4200/

grant_type=authorization_code

code_verifier=2e21faa1-db2c-4d0b-a10f-575fd372bc8c-575fd372bc8c

code= xxxx that's the code I received from step 1

 

Need to take a brake now to reflect...

@Kevinski sure you can send me the information via direct message.

 

Also, when you get the error in step 2, please immediately try again, starting from step 1. Let me know if second (or third) attempt works for you.

@MichaelHanna Thanks for your answer, I tried 3 times in a row (getting a new code each time) and still the same issue.

 

I tried a 4th time changing code challenge / verif to 2e21faa1-db2c-4d0b-a10f-575fd372bc8c-575fd372bc8c and it worked... once

 

I tried a 5th,6th, 7th time with "IoT User offline_access" instead of "IoT User" for the scope and no more luck...(changing the code in step 2 each time with the one i got in step 1)

 

Not sure what is wrong but something's not right somewhere 😕

Thanks for your additional attempts. I will check with out IT to have a closer look why the authorization attempts fail. I will let you know when I get an answer on this.

 

Also, happy to receive your screenshot and the complete requests you are executing.

Michael,

I just sent you a pm with the complete requests.

Thanks for your time !

 

Hello, I have the same problem. I'm currently trying out the API and failing at authentication in the second step with "error""invalid-token-request". I've tried curl and postman. No matter what I do, I always get this error. 

 

Authorization request works fine:

https://iam.viessmann.com/idp/v2/authorize?client_id={ID_FROM_DASHBOARD}&redirect_uri=http://localho... User offline_access

 

Authorization code request fails:

https://iam.viessmann.com/idp/v2/token?grant_type=authorization_code&client_id={ID_FROM_DASHBOARD}&r...}

 

*{} are placeholder for the values/codes

 

Can you check your system function please or am I doing something wrong?

Thanks

I got the information that the expiration time of the code in step 1 is set to 20 seconds due to security reasons. This means to obtain a refresh token / access token, step 2 must be executed below 20 seconds after code creation.

@VLaubsch please check if this works for you. @Kevinski already confirmed that this worked. 🙂

Best regards,

Michael

Michael Helped a lot with the issue and he found out that they recently changed the TTL for the step 1 code to 20 seconds.

 

Authentification must then be done with a script in order to be fast enough.

 

Here's an example providing that you can setup a local apache server on port 4200 or add another valid "Redirect URI" of your choice to the API client.

 

 

 

index.php file accessible at http://localhost:4200 

 

<?php

$clientid='xxx'; //your actual client id
$code_verif='2e21faa1-db2c-4d0b-a10f-575fd372bc8c-575fd372bc8c'; //viessmann's working code verif example


$data = array(
'grant_type'=>'authorization_code',
'client_id'=>$clientid,
'redirect_uri' => 'http://localhost:4200/',
'code_verifier' => $code_verif,
'code'=>$_GET['code']);


$options = array(
    'http' => array(
        'header'  => "Content-type: application/x-www-form-urlencoded\r\n",
        'method'  => 'POST',
        'content' => http_build_query($data)
    )
);
$context  = stream_context_create($options);
$result = file_get_contents($url, false, $context);


var_dump($result);


?>
 
 
 
 
from a browser (don't forget to change  ###your actual client id### to the correct value, the code_challenge value is the one from viessmann's example (a working one).
 
After you log in with your viessmann account it'll redirect to your localhost:4200 script and get you the step 2 access and refresh token.
 
Hope it helps 🙂

Hello

My integration works well till 13.04.2022 21:00, request to API since 21:15 failed with error invalid-token-request

No changes in my integration.

I tried to refresh token manually (Step 1) for few times but result still the same.

My integration have requests (step 1 and step 2) exactly as described here. Everything the same and previously the same requests works correctly.

I also do step 2 quickly (about 10 seconds) after step 1. 

I am lost.

Any ideas please?

I am having exactly the same troubles as @sbtnk  . Is there any solution?

Since yesterday morning I have the same problem. My integration worked for several months. If I remember correctly there was some viessmann maintenance work during the weekend. Maybe they have changed the authentication...!? 

Hi everyone, the maintenance work on the weekend did not change anything on the authentication for the API. 

In general, refresh tokens have a lifetime (TTL) of 180 days.

For creating a new refresh/access token, you can try and use the following postman collection, which contains the relevant API calls: https://www.postman.com/vimicho/workspace/viessmann-api-public/collection/12055031-17157e90-a2e8-47b...

Please make sure, like @sbtnk mentioned, that the code received in Step1 is only valid for 20 seconds, which means you have to execute Step2 of the authentication within those 20 seconds.

If the problem still occurs, please let me know here once more.

Best,

Michael

Hi @MichaelHanna

I tried again and now it works. I don't know why it did not work the last two days but I am glad that it works again 👍

Thx & regards

Danny 

Dear @MichaelHanna

 

I'm trying to collect data and automate it with IOBroker, InfluxDB and Grafana for my Vitodens 300.

The Token creation starts to really annoy me. I'm wasting time as many others here reported as well. I've made several Attempts to create the token and Step 1 seems to actually work, but Step 2 always ends with the message {"error":"invalid-token-request"} .

Could you make an argument to the responsible IT Colleagues from Viessmann to either show us developers an easy way to automate Steps 1 and 2 and put that in the docu ( https://documentation.viessmann.com/static/authentication) or to find a way that the currently described way would work. It hinders a lot to have a stupidly low time limit with 20 Seconds, I'm sitting here with a Timer filling in the URI to browser, picking the code, inserting it to the already prepared Curl Call in my editor, then quickly pasting it to my Windows command line. but each and every time it failed so far. It would be less stressful to have the time Limit at least at 60 Seconds.  Currently my experience here is frustrating for no reason at all. 

My case was that I thoughy I do it manually quick enough (as your case) ... and it didn't work. I am not sure time is 20 seconds, not less.

It started working for me only if I automated it fully by script...

 

I work and develop many API and for me keeping so short TTL for authorization code in OAuth paradigm has really no legitimate cause. It's first API I met with so short TTL at this stage.

 

@Crinc @sbtnk Thanks for sharing, sorry to hear from the inconvenience you experience with our authentication flow. We will try and work on an improved and more convenient flow for the future.

 

In the meantime, I can recommend the Postman collection we created for getting started with our API. You still have to consider the 20 seconds TTL for the code of step1 of the authentication, but maybe it helps to send out the command for step2 more quickly.

 

If you assume that the issue is not the 20 seconds TTL, please send me your requests for the authentication as well as the timestamps you each request you are sending out. This helps us to have a closer look into the issue.

 

Regards,

 

Michael

 

Thank you Michael for the quick response. I tried with the postman collection, thanks for the hint, but it still failed. By doing so it's a bit quicker than using my own text editor to prepare both steps, but as I understand step 1 has still to be done with a browser by hand for the login with my dev account credentials. Having this requirement in combination with a 20 second  time limit is ... 

 

My try was exactly at 18:19 CET. 

I'll send you the details of my two Steps, get and post.

I hope you really can increase this stupid limitation here for more than 20 seconds. 

API_Token_Call_fails.jpg