Reading out encryption keys still working?

[Eroli]

Hi everybody,

maybe just a short (or stupid) question: I tried to follow your approach to read out the encryption keys in order to establish a local websocket connection to my device (a clothes washer). However, the ReadAccount scope is making trouble, throwing an authorization exception "given scope doesn't match requested scope". Furthermore, i cannot find the ReadAccount scope in documentation, at least not on this page: https://api-docs.home-connect.com/authorization?#authorization-scopes

I was also not able to find the https://prod.reu.rest.homeconnectegw.com/ endpoint in any documentation. Where do you guys found that information?

If i leave the ReadAccount scope out, i get my bearer token and i am able to communicate with the home connect servers. Unfortunately, i was looking forward to the local communication and to skip the home connect servers.

Am i missing something? Or have there been some changes in the API?

Thanks for your effort and i am really looking forward to your replies.

[osresearch]

The endpoints and auth flow were found by using frida on the android version of their application while logging in and do not appear to be documented anywhere.

I just tried re-running hc-login $USERNAME $PASSWORD with the current HEAD (a57421994535c1ddb341af2c5e219fdd850b3200) that includes ReadAccount scope, and it successfully logged in, fetched the bearer token, used it to load the account/details page to receive the XML files for my devices, and wrote out the JSON version of the config.

Is your account in the EU region or elsewhere? I'm in the Netherlands and the other reported success is in Germany.

You can also try logging in via the website api.home-connect.com/security/oauth/authorize to see if it succeeds, which might indicate something went wrong with the python request.

[Eroli]

Thanks for your prompt reply and for testing the script once again. I ported the script to C# in order to implement it later on into my smart home framework, therefore i cannot exclude any mistakes on my side. I am also from germany, so it is quite obvious that the error is on my side.

Do you login into default "API Web Client" app or into a self-created application inside home connect? I did my tests on the web client, so this could also be an issue...

[osresearch]

Can you confirm which scope parameter you're sending? I just re-ran hc-login without the ReadAccount scope and it was able to fetch the keys. After a quick binary search, it appears that only ReadOrigApi is required to be able to complete the rest of the login and configuration fetch.

To generate the hcpy config only the request made in the hc-login tool are used. The android app or web browser are no longer required; they were only used to figure out the flow.

[Eroli]

Maybe i have two problems:

1. If i specify a redirect_uri query parameter (doesnt matter if hcauth or my own) in the first get request to endpoint https://api.home-connect.com/security/oauth/authorize, then i get this error message:

   {
   "error": "unauthorized_client",
   "error_description": "client or redirection URI not authorized",
   "state": "xxx"
   }

   As soon as i leave out the redirect_uri parameter, things start working (without ReadOrigApi-scope)

2. If i now include the ReadOrigApi scope (without having redirect_uri specified), then i get the following error from the same endpoint as above: error=invalid_scope&error_description=given+scope+doesn%27t+match+requested+scope&state=1+//Lz7NuVwRNEXNSsklLw

However, maybe i should get your python script working to test this on my end. Which application do you use for the readout? The sample Web API App or an self-created app?

Offtopic: I am having trouble installing the sslpsk package: Got the following when trying to install the package:

  Building wheel for sslpsk (setup.py) ... error
  error: subprocess-exited-with-error

Ever seen something like that?

[Eroli]

Sorry, I must have misunderstood something. I was convinced that I had to replace my own AppID in the script. This is apparently not the case, with the default AppID the script works flawlessly (at least on my Linux machine).

Please excuse the effort and time you invested because of me!