-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update for sIdentity 2fa #2
Comments
Solved it. Just had to analyze the George web app behavior. After the secondfactor endpoint reports url = 'https://login.sparkasse.at/sts/oauth/authorize?response_type=token&client_id=georgeclient'
r = s.get(url, allow_redirects=False) And the access token is in the Location header like before. Edit: Oops, I meant to create this issue on the python version of the lib (https://github.com/angelol/erste-bank-client/), hence the python code. But, regardless, the info will be useful to you I suppose. |
Thanks, just saw your comments here. If there is need for this feature, I will look into it. But for now I guess it's okay to go with the "old" login method. |
For newly opened accounts they do not give you the option to use a password, you must use some form of second factor auth. If you have a smartphone, then via the sIdentity app, or if not, then via an SMS flow. |
With the mandatory switch to 2fa login and the removal of the password for authentication, I've been looking in to how to support this in this program.
The initial login request is easy enough to do:
Where
username
is the Verfügernummer.You then can poll with a GET request to
https://login.sparkasse.at/sts/secapp/secondfactor?client_id=georgeclient
, which returns a response like so:And after the 2fa signing is complete:
However here I am stuck. The response to the
/sts/secapp/secondfactor
endpoint does not return an access token, and calls toapi.sparkasse.at
are denied without it.With the changes in Android 7, apps no longer will use user installed CAs, so it is not possible to MITM the connection using a custom cert, so I can't see what the app is doing. Presumably there is another API call we need to make after the 2fa is complete.
The text was updated successfully, but these errors were encountered: