Closed nathanmarcos closed 4 years ago
same here... any solutions? ;)
I've been reaching out to N26 about this. Let's see.
Same issue here :). Thanks for looking at it @femueller. Is there anything we can help with?
@ivallesp Currently we are only awaiting if and how N26 responds to our "call". If you can spare the time feel free to deep dive into figuring out a solution, but I have to warn you, I don't believe we can fix it easily this time... PSD2 doesn't exactly make our lifes easier 😞
I got a solution via trail and error:
just enter a slash "/" after token in the request url :)
oauth2/token/
I got a solution via trail and error:
just enter a slash "/" after token in the request url :)
oauth2/token/
Any pull request? :)
I wrote my script in php, so no pull request for this code here :)
But does the solution works for you, too?
@robbieffm Yes, I can confirm that it's working with the Python code as well. Thanks for your observation! :smiley:
The Python package has just been updated. Please verify via:
pip install --upgrade n26
I can confirm. It's working like a charm again. Thanks @robbieffm and @femueller!
For poetry users, you can run poetry update n26
😉
I also confirmed here, that works like a charm. Thanks a lot!
unfortunately the same issue again
stdClass Object
(
[timestamp] => 2020-06-25T20:58:55.804+0000
[status] => 400
[error] => Bad Request
[message] => invalid_request
[path] => /oauth2/token/
)
I contacted N26 Support. I hope I will get response.
But by the way, do you have the same issue like me, again?
Same issue for me:
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: https://api.tech26.global/oauth/token/
Did you try to remove the /
that we just added? This sounds silly but, why not?
Did you try to remove the
/
that we just added? This sounds silly but, why not?
Yes, but don’t work. 😕
I confirm I have the issue too... I can also confirm that removing the bar (or switching python-n26 from 2.2.2 version to 2.2.1) doesn't work, raising:
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: https://api.tech26.global/oauth/token
:(
I contacted N26 Support. I hope I will get response.
But by the way, do you have the same issue like me, again?
Is there any news? It's already end of month :(
I contacted N26 Support. I hope I will get response. But by the way, do you have the same issue like me, again?
Is there any news? It's already end of month :(
I got no answer until now. ;(
As an interim solution, I login and read the website with a script. After login is a JavaScript data array available, which I convert in a json object.
Not the best way, but it works to get the account amount and the transactions including the Id.
But anyway, I hope there is a solution for the api available soon.
As an interim solution, I login and read the website with a script. After login is a JavaScript data array available, which I convert in a json object.
Could you share the script? 😅
As an interim solution, I login and read the website with a script. After login is a JavaScript data array available, which I convert in a json object.
Could you share the script? 😅
Well, 😂
My PHP script is just a interim solution, without any comments and written in a (bad) fast way. So I guess it’s not a good idea to share. 😋
But you can use these steps:
call the Website app.n26.com/login (curl, enable the cookie file) to get the hidden form fields
post your login values to the form action including the hidden field’s
you get a confirmation push to you Mobile Phone
call the Webseite again. Your are logged in And you will get requested data and the JavaScript data array.
@robbieffm can you retrieve the auth token that way too? Would be a hack, but maybe the easiest workaround for now. I am not sure how to find out the new API endpoint (if it even exists).
I have contacted the N26 Support. They directed me to the live chat. I’ve contacted the Live chat and they have no idea about what is an API. Did you get any successful technical help in the past? Where did you find official docs to implement the Python API?
@robbieffm can you retrieve the auth token that way too? Would be a hack, but maybe the easiest workaround for now. I am not sure how to find out the new API endpoint (if it even exists).
Fully agree on the token part. That would be a great workaround. I tried but no success but I am not an expert on that.
They have sent me this now: https://support.n26.com/en-de/security/open-banking-psd2/psd2-open-banking-for-third-party-providers
Yeah, just ignore token.io and other open banking/PSD2 stuff. It's not usable by individuals.
They usually bring that up when you ask support about API stuff (see for example https://github.com/femueller/python-n26/issues/67#issuecomment-558885719)
If this keeps up i'm just going to move to bunq, you gotta pay for the account but at least they have a nice officially supported developer friendly API, and not having to worry about this anymore would be worth it. I'm not giving up yet though, maybe the next time they break it, because changing main accounts is hard.
I'll give this thing a look on the weekend.
@robbieffm can you retrieve the auth token that way too? Would be a hack, but maybe the easiest workaround for now. I am not sure how to find out the new API endpoint (if it even exists).
I tried to explore the token on the website, but unfortunately i didn’t found a working token. I guess there are different token for the api.tech26 and app.n26.de
They have sent me this now: https://support.n26.com/en-de/security/open-banking-psd2/psd2-open-banking-for-third-party-providers
i found this site as well, but with this api you need to send a very expensive certificate while requesting the data. https://www.sslmarket.de/ssl/quovadis-qualified-website-authentication-certificate-qwac/
@ivallesp On github, gathered by other, more intelligent people than me. I guess they extracted them from sniffing the App's network traffic. @dequis I am so sad that N26 isn't doing that :( As a bank for the young people I thought they would do exactly that, instead they don't even answer our messages. I am very dissappointed of the way N26 is working now. Maybe I will change to a different bank too, but how long before they kill their API too? PSD2 is one of the worst things that happened to online banking :(
Yeah, just ignore token.io and other open banking/PSD2 stuff. It's not usable by individuals.
- you have to be a "Qualified Third Party Service Provider" https://n26.docs.token.io/#on-boarding-for-tpps
- it's very likely to be a paid service that isn't cheap (has no public pricing page) and has no interest in dealing with anyone but corporations
They usually bring that up when you ask support about API stuff (see for example #67 (comment))
If this keeps up i'm just going to move to bunq, you gotta pay for the account but at least they have a nice officially supported developer friendly API, and not having to worry about this anymore would be worth it. I'm not giving up yet though, maybe the next time they break it, because changing main accounts is hard.
I'll give this thing a look on the weekend.
Thanks for looking at it.
I checked Banq and yes, their API is official and well documented. Are you sure you have to pay for using it? They seem to have free plans.
@markusressel theres is unfortunately nothing what N26 is allowed to do. They had this bounty programm and within it the ability to get the transactions with this api, but PSD2 was introduced to remove those not documentend and open api accesses to everyone to make it more safe. Bad for us, who just want to have a quick hack. Good for the security. I hate it too, but I see why this was done. It's not N26s fault!
I will try tink for accessing n26
@markusressel theres is unfortunately nothing what N26 is allowed to do. They had this bounty programm and within it the ability to get the transactions with this api, but PSD2 was introduced to remove those not documentend and open api accesses to everyone to make it more safe. Bad for us, who just want to have a quick hack. Good for the security. I hate it too, but I see why this was done. It's not N26s fault!
I will try tink for accessing n26
Is it not now thaht they changed theyre system and req now a ssl cert? Nginx told me this.
In my opinion its a shame for a bank which call themself a bank for IT and Freelancer but dont support such things compared to other who support hbci.
The Windows Version of Banking4 who also used the api dont support it anymore.
I will try tink for accessing n26
Ooh, thanks for mentioning tink! Looks like a PSD2 API that's usable by individuals and supports n26.
I just created an account, an app, a tink link, used the link to log in with my user/pass, confirmed the login on the n26 phone app, got a code, and ran this to get account details and the last transaction.
http -f POST https://api.tink.com/api/v1/oauth/token code=... client_id=... client_secret=... grant_type=authorization_code
token=...
http https://api.tink.com/api/v1/accounts/list "Authorization: Bearer $token"
http https://api.tink.com/api/v1/search "Authorization: Bearer $token" sort=date limit=1
Hardest part was figuring out that I needed to look for the search docs to list transactions, and figuring out what they mean by aggregation (seems to mean bank log in). The rest was super smooth.
This looks like it achieves what everything else failed to deliver about PSD2.
Things I'm not a fan of:
Cheaper than bunq, but I'm pretty sure this weird login flow wouldn't be an issue there.
I checked Banq and yes, their API is official and well documented. Are you sure you have to pay for using it? They seem to have free plans.
Yeah bunq's new free plans are weird (what even is a travel card?) but API support says "N/A" for those.
They had this bounty programm and within it the ability to get the transactions with this api, but PSD2 was introduced to remove those not documentend and open api accesses to everyone to make it more safe.
It's still there, https://n26.com/en-eu/bug-bounty-program says "If you Google N26 API you may find some un-officials wrapper to our API", which I always found funny.
but PSD2 was introduced to remove those not documentend and open api accesses to everyone to make it more safe.
They can't remove this, their own phone app uses it. They can only break it (and every time they do so, they force updates of their own app, because you gotta have backwards compat to deal with people who have automatic updates disabled)
I am also not buying this "make it more safe" stuff. Its just a way to have banks (or third parties) make even more money on basic stuff like listing transactions. There is nothing "open" about it as far as I am concerned. I will not support this crap by paying money to some third Party service, thats probably selling all my transaction data to some data broker anyway. DiBa currently still supports FinTS, which still works great, and I hope they dont drop support, but there is nothing stopping them from doing so...
I am also not buying this "make it more safe" stuff. Its just a way to have banks (or third parties) make even more money on basic stuff like listing transactions. There is nothing "open" about it as far as I am concerned. I will not support this crap by paying money to some third Party service, thats probably selling all my transaction data to some data broker anyway. DiBa currently still supports FinTS, which still works great, and I hope they dont drop support, but there is nothing stopping them from doing so...
this is also complete nonsense by n26, even that u every time have to do this 2 factor auth.
Ing Diba and DKB also the German Sparkasse req the tan every 90 days for read transactions, that is what PSD2 req, i have talked long time with guys from IT of the Sparkasse.
HBCI is used by tax accountants and some other, i don’t think they will drop it and well on n26 the tax accountant "cried" since some years that the connection is more than shit.
To bad that ING and DKB don’t offers B2B for companies.
I just decompiled the N26 app and it looks like the new URL is /oauth2/token
. But if you just change it to that, it doesn't work yet, so something else changed as well.
@wasmitnetzen yap i had used this some time ago, i had sniffed me the url from banking4 but now its seems not work anymore
I tried this too based in the message of error that we were having, but no luck, unfortunately.
El 3 jul 2020, a las 20:36, wasmitnetzen notifications@github.com escribió:
 I just decompiled the N26 app and it looks like the new URL is /oauth2/token. But if you just change it to that, it doesn't work yet, so something else changed as well.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.
I just decompiled the N26 app and it looks like the new URL is
/oauth2/token
. But if you just change it to that, it doesn't work yet, so something else changed as well.
I used this URL „oauth2/token“ all the time. It stopped working at the same time like „oauth/token“
I guess we need to know a hidden parameter while requesting the first token with grand_type password. The error message is invalid request. I think the path did not change.
Quote from: https://www.oauth.com/oauth2-servers/access-tokens/access-token-response/
„The request is missing a parameter so the server can’t proceed with the request. This may also be returned if the request includes an unsupported parameter or repeats a parameter.“
Has anyone managed to bypass the SSL certificate pinning in the n26 app? Reading https://blog.netspi.com/four-ways-to-bypass-ios-ssl-verification-and-certificate-pinning/ it looks like it might be doable on jailbroken iOS devices.
I guess we need to know a hidden parameter while requesting the first token with grand_type password. The error message is invalid request. I think the path did not change.
There are four possible parameter sets in the code:
Our current parameter set is is still there (2.). I can't tell if it is still being used, that requires a lot more digging in the decompiled code.
To bypass pinning on android:
/system/etc/security/cacerts/
frida --no-pause -U de.number26.android
Java.perform(function(){Java.use("okhttp3.CertificatePinner")['check$okhttp'].implementation = function(){}})
There are other variants of this bypass in frida codeshare, but apparently check$okhttp
is the important bit because the current version of okhttp moved the actual implementation to an internal method, and the public one isn't called.
The first four requests (lightly edited/redacted), from a paired device with fingerprint login:
I think what would be useful would be to see data for first login from an unpaired device. Unfortunately, I don't have a rooted device laying around here :-( - I certainly don't see anything new in here.
I wish N26 would just allow us to create personal access tokens and provide a documented API, like bunq does.
After playing with the sniffed data by @dequis, I found out, that there is a new mandatory http-header "device-token". The value must be set to the same uuid during the auth flow. I have created the pull request https://github.com/femueller/python-n26/pull/83 for a solution. I also explained my thoughts there.
Thanks a lot for your PR @bastiandev 🎉!
The new release 3.0.0
includes the fix proposed by @bastiandev.
FYI: Please make sure to configure a device token ID once you upgraded as described here: https://github.com/femueller/python-n26#device-token
Thanks a lot for your PR @bastiandev 🎉! The new release
3.0.0
includes the fix proposed by @bastiandev.FYI: Please make sure to configure a device token ID once you upgraded as described here: https://github.com/femueller/python-n26#device-token
thanks, this is now also working for me, perfect, i hope the solution will work longer.
Do u know how long the token is alive withouth reauth it by phone?
@rautex I dont know if it is still applicable, but see this: https://github.com/femueller/python-n26/issues/67
Device tokens are permanent (and probably best to not rotate them too much)
Access tokens last 30 mins (see the expires_in
of the last http response in my previous comment), and fetching a new one will trigger 2fa.
Something seams changed on their side since the
/oauth2/token
is always failing with status 400. 😞