Problem on auth?

[davvo84]

Hi, my script is no longer able to authenticate, even though I haven't changed anything

I use CURL with PHP and, on second call for auth (Step 2: Obtain an authorization code) i have this:

Resposne doSecondCall:
HTTP/2` 403
server: AkamaiGHost
mime-version: 1.0
content-type: text/html
content-length: 295
expires: Fri, 26 Mar 2021 14:28:22 GMT
date: Fri, 26 Mar 2021 14:28:22 GMT

<TITLE>Access Denied</TITLE>

Access Denied

You don't have permission to access "http://auth.tesla.com/oauth2/v3/authorize?" on this server.

Reference xxxxxxxxxxxxxxx

I tried to add into the headers "User-Agent: curl / 6.14.0" and it works fine again: "Redirect to https://auth.tesla.com/void/callback?code=XXXXX"
By default, CURL on PHP don't send any User-Agent.

So, I think tesla blocks some user agents or add some control (eg. user-agent is present) .... does anyone have the same problem?
And what is the user agent used by the app, you know? I wonder why, by setting the one in the requests, the call from the app is simulated?

[saehyun]

I have the same issue.
Is it resolved?

[ghost]

Can confirm having the same issue. It would be great if someone can share a working solution.

[ghost]

Noting down my observations here:

1. The problem is definitely not with User-Agent. I tried running my selenium script with same user-agent as my browser (where it works if done manually), but it still takes me to 403 page.

2. One interesting thing I noticed on taking the diff of the cookies is this:
   

There are a couple of new cookies by Akamai. On a simple google search, I could find that these cookies are from Akamai bot detector script.

So if anyone has a way to bypass these scripts, that would be great.

PS: Why does tesla keep doing this? Like there's legit a whole ecosystem on top on tesla APIs. I would be happy to pay them for open API access, but idk why they are making it harder for community to build stuff on top.

[ClaireDMT]

same problem here, credentials are correct but still get "You don't have permission to access "http://auth.tesla.com/oauth2/v3/authorize?" on this server."

[yakeer]

Same issue here.

[AxelMontini]

I'm also stuck on this issue, here's what I've tried (in rust)

Using reqwest to get the form hidden inputs and then to send the form

Fails with a 403 no matter what I do. Credentials are correct.

Using fantoccini to automatically type credentials in the browser

Some bot detection system has been added (file AlaTM) that sends sensor data periodically.
On detection, the user is greeted with a 403.

Even adding randomness to keystrokes did not help avoiding a detection. Still stuck at step 2.

Manually logging in and then using the code

Manually logging in brings me to the url containing ?code=XXX.

Using that code for step 3 results in a failure both on Postman and reqwest.

Error response:

{
    "error": "unauthorized_client",
    "error_description": "Unauthorized client",
    "error_uri": "https://auth.tesla.com/error/reference/8a98679b-7268-45a1-ab7b-923a5b5fc0aa-1648331689207"
}

I've yet to figure out why even step 3 doesn't work.

Anyone got any suggestions?

Mini rant

Why do they keep adding barriers to stop the advanced users from using their API?

[PrriyaR]

Same issue for me as well. Were you able to resolve this issue?

[9cat]

same here

[9cat]

i finally solved the problem by sending the request parameter using POST BODY in which :
{ "grant_type": "authorization_code", "client_id": "ownerapi", "code": "123", "code_verifier": "123", "redirect_uri": "https://auth.tesla.com/void/callback" }

replace the 123 with the last generated vaules.

[waynewang6660]

thanks a lot! It works for me!

[lemeo]

Hey @9cat, how about step 2? Did you get a 403 error resulting in no code for step 3?

[RoWi2907]

Hi there, searching for this issue I found #545, which tagged this thread as solution, however, not sure whether it was solved.
Did anybody get arround this 403 issue?

[Falgantil]

Any updates on this? I just tried to simulate an auth request with Postman and am also getting a 403 with 'Access Denied' on Step 2 of the OAuth guide.

[9cat]

same here.

anyone could still running the Tesla API successfully?

[EnglishGuy69]

I don't have a solution, but it appears when the page loads on a browser it also makes a call to www.recapture.net that returns some javascript that is then run. This is required to populate at least one of the three cookies 'i18next', 'ak_mbsc' and 'bm_sv' that are included in the request when using a browser but are missing when using curl/postman/request. The recapture script actually modifies the dom after loading so the references to recapture script no longer exist once the page is rendered in a regular browser. You can reproduce by making the call using curl, then manually performing a curl (search for www.recapture.net) to get the recapture code. Unless we can render the page (including all <script> includes and js code) it will be hard to get the additional required headers.

[the-mace]

Lots of similar discussions on this problem:
#614
So far i've found none that have solved it short of going interactive at some point

[lemeo]

Any luck?

[ricardocostasilva]

im trying to test the auth aswell, and im getting the 403 error. Does anyone have a solution for this?

[lemeo]

Any luck?

[malina-nimbee]

Hello, any update on this issue or are we locked out from the Tesla API?