hclogin failing with a 401 "The access token is malformed"

[ericblade]

Hi there! Just trying to pick this up, and I'm not sure where to start. I've added some extra debugging to try to see what's going on, but whatever it is, I'm not seeing it. I receive what looks to be a valid token, it gets to the "# now we can fetch the rest of the account info" section, gets to account/details .. and i get a 401 Unauthorized back, and the test of the response is JSON containing

{ error: { description: "The access token is malformed", key: "invalid_token" } }

This is with the most recent PR added that fixes some prior issues, I reverted that to see if that was at fault, and just got a "Missing Schema" on a "Invalid URL" message.

Any ideas?

[meidlinga]

Do you use the app in parallel? Could you try to disable it? Eventually it is creating another token during the process, replacing the old one. But that would be unlikely, if you test it a couple of times.

Could you create an account with another email address and retest it?

Edit: Updated answer, because I did not read that the token looks valid before.

[ericblade]

I'll give it a spin with the phone offline. Although I'm not directly running the app, it might be running some background service or something. Thanks for the idea. Not sure about another email, could try it though.

[meidlinga]

The idea about creating a new account was to rule out problems tied to your account.

[ericblade]

It is an account that was just created on Friday, when my dishwasher was installed.

logged out of android app, tried again

--------- got token page ----------
Received access token='eyJ4LWVudiI6IlBSRCIsImFsZyI6IlJTMjU2IiwieC1yZWciOiJOQSIsImtpZCI6InJuYS1wcm9kdWN0aW9uIn0[.....snip.....]-LyPrz7saDXVMsuMDi6V7UHw7RPxqR7FfRuYMyPmjfYcewxgG4WftVixtQAq6bhjBTZxRpty1Wuk_WYROXIUzhy7fBBfpp3yO_enDMw'
...
unable to fetch account details r.status_code=401
r.headers={'Date': 'Tue, 05 Dec 2023 19:01:34 GMT', 'Content-Type': 'application/vnd.bsh.sdk.v1+json', 'Content-Length': '99', 'Connection': 'keep-alive', 'Cinnamon-Mdc': 'AAAAAQAAABAAAAAHdHJhY2VJZAAAABA4NjRhNTNlNGE4OGFkY2Vk', 'Www-Authenticate': 'Bearer realm="",error=invalid_token,error_description="The access token is malformed"', 'X-Vcap-Request-Id': '16ebd768-bbc2-49b2-5d3a-8a3e73a149c8'}
r.text='{\n  "error": {\n    "description": "The access token is malformed",\n    "key": "invalid_token"\n  }\n}'

(the last couple of lines, i've added to see what the details of the failure were...)

it'll be a bit before i can try a different email, i don't have one right handy ...

[meidlinga]

I just testet it and it worked for me. But your access token looks ok. Could you print len(token), check if the Authentication header is Bearer with the token and print asset_url? Those are set in a very simple manner, but just to be sure.

Does the hcauth:// response look ok? Does it have code, state and grant_type=authorization_code?

I think it could be dependend on your account.

[ericblade]

token length is 1007. header for the last request that fails is { "Authorization": "Bearer {token}" }

which piece are you referring to for the hcauth response?

[ericblade]

Trying it on a different machine now, -and- after applying #37 #38 and #41 ...

I now get to "unable to fetch account details". Going to take a quick little peek in there and see if there's anythign to see there

oh.. turns out.. that's the exact same error point as mentioned in the original post. I thought it was farther, but I didn't have any of my debug code from my previous attempt added.

{'Date': 'Thu, 25 Jan 2024 04:59:45 GMT', 'Content-Type': 'application/vnd.bsh.sdk.v1+json', 'Content-Length': '99', 'Connection': 'keep-alive', 'Cinnamon-Mdc': 'AAAAAQAAABAAAAAHdHJhY2VJZAAAABAwMjk3ODE4MzFjZTgyZjlj', 'Www-Authenticate': 'Bearer realm="",error=invalid_token,error_description="The access token is malformed"', 'X-Vcap-Request-Id': '1469872a-80ac-413c-63ab-c6327b0f3e7a'} 
{
  "error": {
    "description": "The access token is malformed",
    "key": "invalid_token"
  }
}```

[ericblade]

... is there a webpage somewhere that I can login to and inspect this process, so i can try to compare?

[vincer]

I was having the same issue. It looks like the asset_url is dependent on the user's home country. e.g. I signed up in the US so that needs to be prod.rna.rest.homeconnectegw.com (which I frankly just guessed). With that change, it all works. I guess the generated access token is stored only in the geographically colocated server (and probably user data as well).

I briefly glanced through all the response headers and didn't see the domain passed back, so I'm not entirely sure how you're supposed to programmatically find the right server.

[ericblade]

@vincer cheers! That got it here. Maybe hopefully there's only the two, and they never change? or there's some way to figure it out...

I can confirm I have a config.json and some zip file it downloaded now. Will have to poke at it later to see what all this gives me.

Thank you so much!

I'll.. leave this open, so we know this is a thing that should be figured out.