Climate Solutions Community

ul0815 · ‎18.09.2021

Hello,

I just tried to get started with the API.

I still hang at the auth process and don't understand why I can do this:

curl -X POST "https://iam.viessmann.com/idp/v2/token" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=refresh_token&client_id=<client_id>&refresh_token=<refresh_token>"

When looking up the API of my wallbox: https://api.easee.cloud/index.html

I have to provide the access token AND the refresh token to get a new token and I have to make an authenticated call.

For viessmann, I just need the client id and the former refresh token to get a new access token.

I suggest to improve this and make it more secure, by ALWAYS require the access token AND the Bearer authentication when doing a refresh.

This is much harder to hack, than this simple way.

Regards

MichaelHanna · ‎27.09.2021

Hi @ul0815 ,

Thank you for your feedback!

Our authentication process is compliant to the OAuth 2.0 authorization framework as well as OpenID Connect (Core) specification. Both define the refresh_token request in a consistent way where the among other parameters only the refresh_token needs to be included in the request. The access_token is not required, see:
https://openid.net/specs/openid-connect-core-1_0.html#RefreshingAccessToken
https://datatracker.ietf.org/doc/html/rfc6749#section-6

Best,

Michael

Climate Solutions Community

refreshtoken - w/o access token - security

Weitersurfen