I been analyzing my energy provider usage of opower and they do it through embedding. The only way I find the auth token is via a script that gets embedded in-line on a page (not after authorization). Looking through the requests so far I have not been able to find where it is added. Have you dealt with providers using embedded API calls to opower and can provide any further guidance?
From the looks of it, it is pretty easy to extract the token from Javascript since their listener that they add to window accepts a function that it passes the token to. I created this javascript below to pull it. Unfortunately I saw the note about web scrapping so I don't think it is very useful.
var token = null; window.dispatchEvent(new CustomEvent("opower:unauthorized", { detail: { authorize: (n, a) => token = a.accessToken }})); token;
I do have an export of this from Firefox dev tools I can privately share, since it does contain tokens albeit expired now.
I been analyzing my energy provider usage of opower and they do it through embedding. The only way I find the auth token is via a script that gets embedded in-line on a page (not after authorization). Looking through the requests so far I have not been able to find where it is added. Have you dealt with providers using embedded API calls to opower and can provide any further guidance?
From the looks of it, it is pretty easy to extract the token from Javascript since their listener that they add to window accepts a function that it passes the token to. I created this javascript below to pull it. Unfortunately I saw the note about web scrapping so I don't think it is very useful.
var token = null; window.dispatchEvent(new CustomEvent("opower:unauthorized", { detail: { authorize: (n, a) => token = a.accessToken }})); token;
I do have an export of this from Firefox dev tools I can privately share, since it does contain tokens albeit expired now.