Migrate to new authentication infrastructure

gndean / home-assistant-hypervolt-charger

Home Assistant integration for Hypervolt EV charger

48 stars 3 forks source link

Migrate to new authentication infrastructure #48

Closed benjumanji closed 6 months ago

benjumanji commented 7 months ago

Move away from auth0 prop grant to oauth2 resource owner password grant.
Point at new hypervolt authentication infrastructure.
Audience is not required, as it is mapped based on the client.

benjumanji commented 6 months ago

@gndean can you do me a favour: I am not by any means a python expert. I would have expected, based on my brief reading of https://docs.aiohttp.org/en/stable/client_quickstart.html#more-complicated-post-requests that this auth request would be sending form encoded data. If it isn't that would explain the 400.

gndean commented 6 months ago

Yes, it's form encoded. Here's what the raw HTTP request looks like:

Host: auth.hypervolt.co.uk
user-agent: home-assistant-hypervolt-charger/2.0.1
Accept: */*
Accept-Encoding: gzip, deflate
Content-Length: 370
Content-Type: application/x-www-form-urlencoded

audience=https%3A%2F%2Fapi.hypervolt.co.uk&client_id=1BfAeDNKfu7mfPWCm6XTsZeM2QYhhju2&grant_type=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fpassword-realm&realm=Username-Password-Authentication&scope=openid+profile+email+offline_access&username=...

benjumanji commented 6 months ago

So I would hope that the new request then would roughly correspond with

❯ curl --request POST 'https://kc.prod.hypervolt.co.uk/realms/retail-customers/protocol/openid-connect/token' \
      --header 'Content-Type: application/x-www-form-urlencoded' \
      --data-urlencode 'client_id=home-assistant' \
      --data-urlencode 'password=XXX' --data-urlencode 'username=XXX' \
      --data-urlencode 'grant_type=password'
{"access_token":"XXX","expires_in":3600,"refresh_expires_in":5400,"refresh_token":"XXX","token_type":"Bearer","not-before-policy":1711661767,"session_state":"XXX","scope":"profile social email"}

I mean feel free to test with your own username and password. Maybe I am missing some url encoding of the params?

gndean commented 6 months ago

OK, so using the domain kc.prod.hypervolt.co.uk, not kc.hypervolt.co.uk, as in this PR, is working. I did guess this and thought I had tried it previously and received a 400 but I must have changed something else at the same time.

Also, should the client_id be "home-assistant" or "native-with-token-exchange"?

~Can you update the PR to include this correct domain name please. Then I can retest and hopefully merge.~ Edit: Sorry, I missed the updated commit from yesterday with the corrected domain name.

I'll retest now, with a view to merging.