Hello,
So I'm new here and trying to use the API so created a client id in the Developer Portal and a code chalenge/verifier using th github tool in the doc.
client id : xxx
url : yyy
code challenge : zzz
code verif : aaa
I accessed the url with a browser :
Gelöst! Gehe zu Lösung.
Update:
Es hat gestern Abend dann überraschend doch noch funktioniert. Statt selbst erzeugtem code_verifier und code_challenge habe ich beide Werte aus der Anleitung verwendet und siehe da es klappt.
Danke für eure Unterstützung. Eine längerer Timeout ist trotzdem sinnvoll, bitte prüft das @MichaelHanna
Hallo.
Kann ebf bestätigen, dass die Token Erzeugung nur mit dem Code Challenge und Verifier welche in der Viessmann Dokumentation angegeben sind funktioniert. Selbst erstellte Codes, mit dem im Dokument verlinkten Tool, funktionieren nicht.
Danke Crinc! Ohne Deinem Kommentar wäre ich in 3 Wochen noch mit dem Task beschäftigt.
VG
@Castorp @Crinc danke für die Rückmeldungen!
Ich habe gerade ein paar erfolgreiche Tests mit einem anderen PKCE Code Generator durchgeführt. Probiert es einmal bitte mit diesem Generator: https://developer.pingidentity.com/en/tools/pkce-code-generator.html
Gruß,
Michael
Hallo Michael.
Im 2.ten Versuch hat es mit den neu generierten Codes funktioniert.
VG
I was automating with a php script the process to get access and refresh token. When playing with the second step using the code_verifier or the code_challenge I could consitently detect the "error": "invalid-token-request" response if I was using the code_verifier.
All worked fine if I used also in the second step the code_challenge.
I am getting "invalid-token-request" at the token endpoint. I do step 1 and 2 manually, but within 20s. I tried both the code challenge method plain and s256, but no luck.
curl -X POST "https://iam.viessmann.com/idp/v2/token" \
--header "Content-Type: application/x-www-form-urlencoded" \
--data-urlencode "grant_type=authorization_code" \
--data-urlencode "code_verifier=2e21faa1-db2c-4d0b-a10f-575fd372bc8c-575fd372bc8c" \
--data-urlencode "client_id=937ead4......5422ec" \
--data-urlencode "redirect_uri=http://localhost" \
--data-urlencode "code=<my-recent-code-less-than-20s-old>"
When I try the V3 endpoint, the error message changes to invalid_grant.
I would like make some remarks to help to improve the UI and documentation:
1. Users should not need to jump the hoops with the inconvenient steps requiring browser and API. It would be simple and still secure to generate both the access and refresh token directly from the client registration in the web GUI.
2. The API docs (getting-started) mentions that you are using PKCE, but fails to explain that you are using code_challenge_method=plain without specifying this parameter. "plain" is not secure and should be avoided even in examples, because it subverts the purpose of PKCE.
3. If the redirect_uri does not match a value in the client registration the API should use an error message the describes this fact.
4. If the authorization_code is exipred the API should use an error message the describes this fact. and 30-60s would be a better timeout to work with curl and Postman
Best regards
Rainer
Ich habe alle Methoden ausprobiert, die im offiziellen Leitfaden und in dieser Community vorgeschlagen wurden, aber es funktioniert nicht, es gibt mir immer die Meldung "ungültige Autorisierungsanfrage". Kann mir jemand helfen ?
@r2h2 Thanks a lot for your remarks on the authentication process! There are at least some points I can share concerning your remarks.
For 1.: As is you knew what were up to, we now included exactly this functionality in the API Dashboard. You can now generate an access token via the dashboard to be able to quickly test the API even before implementing the authentication process. Feel free to check it out and let me know what you think!
For 2.: Thank you for the info. In the Authentication page of the API Documentation, we do not refer to the code challenge method plain. As you described, this method is more insecure. We will adjust the getting started page accordingly so there is no confusion.
For 3. and 4.: For the error codes of in the authentication, we use the standard RFC specification. You can find the error codes with description https://www.rfc-editor.org/rfc/rfc6749#section-5.2 (Section 5.2).
@AndreaC könntest du deine Authorisierungsbefehle zeigen? Und nutzt du für die Befehle schon die v3, oder sind deine Befehle noch auf der v2?
Hello,
referring to Rainers (r2h2) answer dating from 21.01.23.
Following the instructions from Authentication , I created a code verifier and a code challenge via PKCE Code Generator , then logged in successfully via my user and password, which delivered an access token.
Curl
Using curl the error message depends on the sequence of parameters. If grant_type is first, I receive invalid_grant, as Rainer did.
Angular
Using an angular client (
this.http.post(viessmann_token_url, JSON.stringify(accessTokenRequestParameters), {
headers
})
the response is always "System error. Try again later."
Any help is highly appreciated!
Best regards
Jürgen
Hi @pound , have you tried our Postman example collection for testing purposes? If not, please try it out and let me know if the Authentication calls do work there. Otherwise, please send me the API call and the parameters you are using which lead to the error you mentioned. Then we can have a closer look on what could be the problem.
Regards,
Michael
Hello,
as I am not acquainted with postman (yet), after thorough checking of the documentation, I tried 'fetch (method post)' and 'http.post' without success again. The response still is" System error. Try again later." Maybe the enclosed headers help to pin down the problem.
Regards
Jürgen
Payload of Post-Request with client_id and code_verifier substituted in this reply: