Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update for sIdentity 2fa #2

Open
Ramblurr opened this issue Jun 3, 2019 · 3 comments
Open

Update for sIdentity 2fa #2

Ramblurr opened this issue Jun 3, 2019 · 3 comments

Comments

@Ramblurr
Copy link

Ramblurr commented Jun 3, 2019
edited
Loading

With the mandatory switch to 2fa login and the removal of the password for authentication, I've been looking in to how to support this in this program.

The initial login request is easy enough to do:

        url = 'https://login.sparkasse.at/sts/oauth/authorize?response_type=token&client_id=georgeclient'
        r = s.get(url)
        r = s.post(url, data={
            'j_username': username,
            'javaScript': 'jsOK',
            'SAMLRequest': 'ignore',
        })

Where username is the Verfügernummer.

You then can poll with a GET request to https://login.sparkasse.at/sts/secapp/secondfactor?client_id=georgeclient, which returns a response like so:

{"secondFactorStatus": "PENDING", "pollingIntervalMs": 2500}

And after the 2fa signing is complete:

{"secondFactorStatus": "DONE"}

However here I am stuck. The response to the /sts/secapp/secondfactor endpoint does not return an access token, and calls to api.sparkasse.at are denied without it.

With the changes in Android 7, apps no longer will use user installed CAs, so it is not possible to MITM the connection using a custom cert, so I can't see what the app is doing. Presumably there is another API call we need to make after the 2fa is complete.
@Ramblurr
Copy link
Author

Ramblurr commented Jun 3, 2019
edited
Loading

Solved it. Just had to analyze the George web app behavior.

After the secondfactor endpoint reports DONE, then make a get request:

    url = 'https://login.sparkasse.at/sts/oauth/authorize?response_type=token&client_id=georgeclient'
    r = s.get(url, allow_redirects=False)

And the access token is in the Location header like before.

Edit: Oops, I meant to create this issue on the python version of the lib (https://github.com/angelol/erste-bank-client/), hence the python code. But, regardless, the info will be useful to you I suppose.

@simllll
Copy link
Contributor

simllll commented Jul 30, 2019

Thanks, just saw your comments here.

If there is need for this feature, I will look into it. But for now I guess it's okay to go with the "old" login method.

@Ramblurr
Copy link
Author

Ramblurr commented Aug 6, 2019

For newly opened accounts they do not give you the option to use a password, you must use some form of second factor auth. If you have a smartphone, then via the sIdentity app, or if not, then via an SMS flow.

@simllll simllll mentioned this issue Mar 3, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Ramblurr @simllll