Closed robthebold closed 5 years ago
rafale77
commented
5 years ago The other user is me. I have been playing around with it too and indeed, I keep getting authentication failures. It looks like the API is responding but something changed preventing access.
rafale77
commented
5 years ago There seems to be some updated legal disclaimers and agreements which pop up from both the website and the iOS app. It relies on a cookie so it may be the change...
scarpedon
commented
5 years ago I'm having the same issue, my username and password are correct, but keep getting the following error:
2019-03-27 21:41:10 ERROR (SyncWorker_6) [bimmer_connected.account] Authentication failed. Maybe your password is invalid?
2019-03-27 21:41:10 ERROR (SyncWorker_6) [bimmer_connected.account] Unknown status code 400, expected 200
Traceback (most recent call last):
File "/root/.homeassistant/deps/lib/python3.7/site-packages/bimmer_connected/account.py", line 89, in _get_oauth_token
expected_response=200, post=True)
File "/root/.homeassistant/deps/lib/python3.7/site-packages/bimmer_connected/account.py", line 134, in send_request
raise IOError(msg)
OSError: Unknown status code 400, expected 200
2019-03-27 21:41:10 ERROR (MainThread) [homeassistant.setup] Error during setup of component bmw_connected_drive
Traceback (most recent call last):
File "/root/.homeassistant/deps/lib/python3.7/site-packages/bimmer_connected/account.py", line 89, in _get_oauth_token
expected_response=200, post=True)
File "/root/.homeassistant/deps/lib/python3.7/site-packages/bimmer_connected/account.py", line 134, in send_request
raise IOError(msg)
OSError: Unknown status code 400, expected 200
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/usr/local/lib/python3.7/dist-packages/homeassistant/setup.py", line 154, in _async_setup_component
component.setup, hass, processed_config) # type: ignore
File "/usr/lib/python3.7/concurrent/futures/thread.py", line 57, in run
result = self.fn(*self.args, **self.kwargs)
File "/usr/local/lib/python3.7/dist-packages/homeassistant/components/bmw_connected_drive/__init__.py", line 56, in setup
accounts.append(setup_account(account_config, hass, name))
File "/usr/local/lib/python3.7/dist-packages/homeassistant/components/bmw_connected_drive/__init__.py", line 86, in setup_account
username, password, region, name, read_only)
File "/usr/local/lib/python3.7/dist-packages/homeassistant/components/bmw_connected_drive/__init__.py", line 131, in __init__
self.account = ConnectedDriveAccount(username, password, region)
File "/root/.homeassistant/deps/lib/python3.7/site-packages/bimmer_connected/account.py", line 55, in __init__
self._get_vehicles()
File "/root/.homeassistant/deps/lib/python3.7/site-packages/bimmer_connected/account.py", line 188, in _get_vehicles
self._get_oauth_token()
File "/root/.homeassistant/deps/lib/python3.7/site-packages/bimmer_connected/account.py", line 94, in _get_oauth_token
raise OSError(msg) from exception
OSError: Authentication failed. Maybe your password is invalid?The API return code 400 seems to indicate a malformed client JSON. Maybe some new requirement from the API?
My output for good measure
`DEBUG:bimmer_connected.account:Getting vehicle list DEBUG:bimmer_connected.account:getting new oauth token DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): b2vapi.bmwgroup.us DEBUG:urllib3.connectionpool:https://b2vapi.bmwgroup.us:443 "POST /gcdm/oauth/token HTTP/1.1" 400 None ERROR:bimmer_connected.account:Unknown status code 400, expected 200 ERROR:bimmer_connected.account:{ "error" : "invalid_grant", "error_description" : "authentication failed" } ERROR:bimmer_connected.account:Authentication failed. Maybe your password is invalid? ERROR:bimmer_connected.account:Unknown status code 400, expected 200 Traceback (most recent call last): File "/usr/local/lib/python3.6/site-packages/bimmer_connected/account.py", line 89, in _get_oauth_token expected_response=200, post=True) File "/usr/local/lib/python3.6/site-packages/bimmer_connected/account.py", line 134, in send_request raise IOError(msg) OSError: Unknown status code 400, expected 200 Traceback (most recent call last): File "/usr/local/lib/python3.6/site-packages/bimmer_connected/account.py", line 89, in _get_oauth_token expected_response=200, post=True) File "/usr/local/lib/python3.6/site-packages/bimmer_connected/account.py", line 134, in send_request raise IOError(msg) OSError: Unknown status code 400, expected 200
The above exception was the direct cause of the following exception:
Traceback (most recent call last): File "/usr/local/bin/bimmerconnected", line 126, in
main() File "/usr/local/bin/bimmerconnected", line 45, in main args.func(args) File "/usr/local/bin/bimmerconnected", line 76, in fingerprint log_responses=time_dir) File "/usr/local/lib/python3.6/site-packages/bimmer_connected/account.py", line 55, in init self._get_vehicles() File "/usr/local/lib/python3.6/site-packages/bimmer_connected/account.py", line 188, in _get_vehicles self._get_oauth_token() File "/usr/local/lib/python3.6/site-packages/bimmer_connected/account.py", line 94, in _get_oauth_token raise OSError(msg) from exception OSError: Authentication failed. Maybe your password is invalid?`
bcrochet
commented
5 years ago I, too, am having the same issue. I have a '19 MINI Countryman. So it doesn't seem to be car specific. And I will echo that a 400 sounds like a client issue.
loafbread
commented
5 years ago Me too
bdwilson
commented
5 years ago Same here. I tried to use Charles proxy to review what was going on in BMW Connected app, but it appears the app has certs pinned to thwart SSL inspection. I also received an alert that BMW labs (IFTTT connector) was disconnected and my credentials to re-login didn’t work. May be unrelated.
vaizki
commented
5 years ago HTTP 400 with an error of invalid_grant is the correct response when requesting an access token from OAuth 2.0 authorization endpoint and you have the wrong credentials (username/password). If the request was malformed, the error would be invalid_request.
The API works fine for me here in Europe with a i3 Rex, maybe this is a N.A. specific issue?
robthebold
commented
5 years ago The API works fine for me here in Europe with a i3 Rex, maybe this is a N.A. specific issue?
It does sound like the affected users are all in North America -- at least I haven't seen a counter-example yet. And it doesn't seem like the web portal or the BMW app are affected, so that would indicate it's not a server problem in NA like what was reported temporarily last Fall.
So has something in the headers like authorization or credentials changed? I'm looking at account.py, and there's some hard-coded stuff . . . Does anyone know if there is anything that web portal user can check from a browser debug console to investigate further?
loafbread
commented
5 years ago I am in NA (USA). My Connected Drive iPhone app still works. The web portal still works. This API does not work.
vaizki
commented
5 years ago So has something in the headers like authorization or credentials changed? I'm looking at account.py, and there's some hard-coded stuff . . .
The Authorization header just repeats (base64 encoded) the username:password pair present in Credentials: (not encoded) which I guess is something hard-coded into the app so that it can pass a first line of defence API gateway and contact the real authorization endpoint for validating ConnectedDrive username and password.
Does anyone know if there is anything that web portal user can check from a browser debug console to investigate further?
You can capture the token fetching on a web browser using Chrome & Developer Tools mode for example. In the Network tab there you should see the request when logging in an view request & response.
loafbread
commented
5 years ago I don't see anything useful from the web portal in the Chrome Developer Tools, but I don't really know what I am looking for.
I agree the account.py script has what looks like an encoded username:password pair from the Credentials header that is base64 encoded into the Authorization header. Also there is an additional string in the Credential header that is base64 encoded into the second part of the Authorization header.
I have seen the same strings in other BMW API scripts. Where did those strings come from? Did they change for North America?
bdwilson
commented
5 years ago They come from the iOS/Android apps. Which means you need to decompile/reverse the binaries, or decrypt and capture the SSL requests. The latter appears to be more difficult when the apps themselves have pinned certs and only talk to trusted endpoints. The latest BMW connected iOS app appears (at least in my feeble attempt at SSL interception with Charles proxy) to implement pinning, thus the requests won’t leave the app.
rafale77
commented
5 years ago Sigh, doesn't look like we have a solution in sight.
loafbread
commented
5 years ago I am still hoping someone will figure it out.
loafbread
commented
5 years ago By adding 'print(f"requests return is {r.text}")' after the requests.post, you can see the full return. The return is below. Does it mean anything to anyone?
{
"error" : "invalid_grant",
"error_description" : "authentication failed"
}
allenrong88
commented
5 years ago Having the same issue, I am in Australia.
bdwilson
commented
5 years ago Found this. Hoping it helps someone: https://pastebin.com/QRHkRNhz https://pastebin.com/eMema1J9 https://pastebin.com/QU7vZcmV https://pastebin.com/en0HGBeT
New auth token path is: "/nlp/oauth/token" New auth_basic token is: "ZGIxMzQzYWMtZWNiYS00MGRhLTk2NzMtNzA5NWEwZjJhNWQyOmQyNmMxYzhiLTI2NGQtNDc5MC05MjM3LTQ5NzQ3OWJiN2I5NQ=="
Change scope in account.py from "scope": "remote_services vehicle_data" to "scope": "journey_mate"
This still doesn't fix everything, but you can get authenticated.
robthebold
commented
5 years ago Great that you've been able to find this!
This still doesn't fix everything, but you can get authenticated.
I see what you mean . . . 403 errors coming back when trying to do anything like getting the list of vehicles associated with the account before polling the status. I guess that means other paths have changed, too.
loafbread
commented
5 years ago Looks like good progress. I don't understand where the new 'auth_basic' token goes in account.py. Does it go in the "Authorization:" header? If so, which of the two encoded blobs does it replace?
robthebold
commented
5 years ago "Authorization": "Basic ZGIxMzQzYWMtZWNiYS00MGRhLTk2NzMtNzA5NWEwZjJhNWQyOmQyNmMxYzhiLTI2NGQtNDc5MC05MjM3LTQ5NzQ3OWJiN2I5NQ==",
^^^This is the replacement I did in account.py. The new version of the token replaces the encoded string in line 71 (or therabouts).
ed. I didn't get that giant mass of text to format very well here, but it is all within the double quotes starting with "Basic . . . and is all on one line
bdwilson
commented
5 years ago I'm not sure the above info is in use yet because the gcdm URL is still found in the code too, but thats the only authorization info I found. I've spent all morning working through it with no luck. Here's some guidelines if someone else wants to try. No luck disabling pinning in the apk, pulling db files via android (they were encrypted), etc. https://medium.com/bugbountyhunting/bug-bounty-hunting-tips-2-target-their-mobile-apps-android-edition-f88a9f383fcc https://medium.com/@felipecsl/bypassing-certificate-pinning-on-android-for-fun-and-profit-1b0d14beab2b
vaizki
commented
5 years ago @bdwilson can you fork the repo and create a branch with your changes? I actually design and OAuth2 stuff for a living so could maybe pitch in if I could see the exact changes.
I've seen the journey_mate scope before in the android app, last year.. it clearly refers to the Mini-branded application which does not have the same services available as the CD app. This might be why the granted tokens do not give access to all services either.
I would of course much prefer for BMW to embrace the clean slate & from the ground up thinking utilized in creating the i3 to the app / api ecosystem as well. Meaning allow us to create API keys (tokens) on the CD web which grant limited rights (for example a read-only token) to the API so that third party systems like HomeAssistant can use them. This closed ecosystem thinking is the past, open APIs are the now. Oh well..
robthebold
commented
5 years ago . . . and just like that the BMW server seems to be responding as before using the unmodified library . . .
So what does that mean for us? Was BMW's IT department just messing with us for 2 1/2 weeks, or is it a warning of a permanent change coming soon? Things that get better by themselves can also get worse again by themselves as well . . .
Any other observations?
loafbread
commented
5 years ago Fantastic. Thanks for the alert. BMW sure has a strange IT operating philosophy.
rafale77
commented
5 years ago Just reloaded homeassistant and indeed it reconnects but with a warning message that the API password is going to deprecate and that we need to use a bearer token moving forward.
robthebold
commented
5 years ago with a warning message that the API password is going to deprecate and that we need to use a bearer token moving forward
I guess that means it's option 2:
a warning of a permanent change coming soon
But out of curiosity, where did you see this message?
lawtancool
commented
5 years ago I believe that BMW likely rolled back whatever they changed on the server side, because it actually broke login for the official BMW Remote Android App in Canada (We still don't have the new Connected app).
BMW probably can't be bothered to update the old Remote app to work with the new auth, so they rolled it back/re-enabled the old way for the time being to make the Remote app work again. (evidence: [https://f30.bimmerpost.com/forums/showthread.php?p=24662050#post24662050] user canadian33 is known to be on the BMW Canada ConnectedDrive team)
Interestingly, I didn't see any warning messages from Home Assistant about the BMW component, it just started working again after a restart.
rafale77
commented
5 years ago I saw that warning message in my Home Assistant log as a response returned from the binding to the API
robthebold
commented
5 years ago Since this problem went away on its own, I guess this issue can be closed. Hope it stays gone . . .
pertakman
commented
5 years ago Hi all,
I found this thread when searching for the reason I can't get the BMW Connected Drive component to work. I'm running 0.96.5 of Home Assistant and I'm using the built in component.
My configuration.yaml file looks as below:
bmw_connected_drive: name: username: XYZ@gmail.com password: !secret bmw_connected_drive_password region: rest_of_world
My home-assistant.log give a rather long error message starting with:
2019-08-08 15:08:23 ERROR (SyncWorker_15) [bimmer_connected.account] Authentication failed. Maybe your password is invalid? 2019-08-08 15:08:23 ERROR (SyncWorker_15) [bimmer_connected.account] HTTPSConnectionPool(host='b2vapi.bmwgroup.com', port=443): Max retries exceeded with url: /gcdm/oauth/token (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl_choose_client_version', 'unsupported protocol')])")))
Similar to previous posts it seems to be related to problems with login.
My location is in Sweden and I've checked that the password works with both the BMW Connected Drive website and their IPhone app.
I would be very greatful if anybody knows what I'm doing wrong...
Cheers, Per
lock[bot]
commented
4 years ago This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
I was playing around with the library to write my own front end to bimmer_connected after using its component for a while in home assistant. It'd been working fine until sometime today or yesterday.
Using the demo script on both my desktop and my phone, I get the following:
I know the password and username are correct, since I just used bash history to run the command line python script as I had before with success.
Sensors in home assistant have also stopped working, and I can no longer honk the horn or flash lights from a home assistant script (this had worked before). The home assistant log shows an almost identical error as the sample script above:
At least one other user of the component in home assistant has reported the problem.
I can still use the Connected Drive web portal. I don't use the BMW smartphone app.
Has BMW changed the API or the URL of the service perhaps?
BTW, I'm using the library in North America, and the vehicle is a '17 i3 with Rex.
I think still have the fingerprint file from when the script was working, would that be useful to post?