Step2 get 403 error

[ben25belot]

Hi everyone,

Could you help me ?

I would like to implement this api in Python. I did the first step easily and I get the set-cookie and hidden inputs but when I construct (correctly for me) and request the second step I get a 403 error, unauthorized.

Anyone else experience this trouble ?

Here is my code :

import requests
from bs4 import BeautifulSoup

URL = "https://auth.tesla.com/oauth2/v3/authorize"
PARAMS = {
    'client_id':"ownerapi",
'code_challenge':'ZjZjYTk2M2M4NmJmODdmNDhmY2M1YTkwZWRhOTA1NmVmMmUyNDU3YjJjYjRkOGEzNTA1MDc5NjRjMmVhZWMwZQ',
    'code_challenge_method':'S256',
    'redirect_uri':'https://auth.tesla.com/void/callback',
    'response_type':'code',
    'scope':'openid email offline_access',
    'state':'13hz3x3c1tuz9p5lvrde'
}

r1 = requests.get(url = URL, params = PARAMS)

cookies = {'tesla-auth.sid' : r1.headers['set-cookie'].split("; ")[0].split('tesla-auth.sid=')[1]}

soup = BeautifulSoup(r1.text, features="html.parser")
hidden_tags = soup.select("#form input[type='hidden']")
hidden_inputs = {}
for tag in hidden_tags:
    hidden_inputs[tag.get('name')] = tag.get('value')

hidden_inputs['identity']='[email protected]'
hidden_inputs['credential']='xxx'

headers = {"Content-Type" : "application/x-www-form-urlencoded", "follow_redirects":"false"}

r2 = requests.post(url = URL, params = PARAMS, data=hidden_inputs, cookies=cookies, headers=headers)

[emilfors]

I have the same problem. Tried "everything". If anyone who sees this and doesn't have the problem could perhaps post exactly what their post request looks like, it'd be much appreciated. I don't know if I'm formatting the body correctly, the documentation just says there should be a String[] with the hidden input values but that could be interpreted in a bunch of different ways..?

[xin-w8023]

@ben25belot maybe you could try to change data=hidden_inputs to json=hidden_input to see if it works.

[JSpiner]

@ben25belot @emilfors
Hi, I also faced this problem and couldn't solve it. who solved it?

[RealHenning]

I have the same problem with my python implementation so I tried to use the ruby lib. I was pretty supprised when it also threw the 403. From looking at traffic generated by token creators like Chromium Tesla Token Generator. I found out that their hash for the code challenge is a lot shorter then the one created by this implementation. I don't know if that is the problem. I'm also not quite sure if I set up my Ruby implementation correctly, I think I followed the example given.

[tominal]

This one stumped me along with everyone else. What I found is bizarre.

Long story short, a Node.js implementation is working, but a PHP implementation fails. What?! Can anyone explain how?

The implementation is the same down the characters chosen (I THINK). As soon as I go to trade the code to receive an access/refresh token, that's where PHP fails. AkamaiGHost stops the request every time.

So AkamaiGHost is blocking PHP cURL requests somehow? I have no idea how this could happen, but maybe I'm too close to the problem and the Node.js and PHP implementations are not truly the same..

Node.js:

function bufferBase64url(buffer) {
  return buffer.toString("base64").replace(/\+/g, "-")
    .replace(/\//g, "_")
    .replace(/=/g, "");
}

// Generate a random state identifier string (10 bytes = 16 characters)
const state = bufferBase64url(crypto.randomBytes(10));
// Generate a random code verifier string (64 bytes = 86 characters)
const codeVerifier = bufferBase64url(crypto.randomBytes(64));
// SHA-256 hash the codeVerifier string
const hash = crypto.createHash("sha256").update(codeVerifier).digest();
const codeChallenge = bufferBase64url(Buffer.from(hash));

// click the URL in the browser, decode the resulting Tesla URL, land here to trade in the code for an access token

let url = `https://auth.tesla.com/oauth2/v3/token`;
const res = await request(
  url,
  {
    method: "POST",
    headers: { "Content-Type": "application/json" }
  }, JSON.stringify({
    grant_type: "authorization_code",
    client_id: "ownerapi",
    code,
    codeVerifier,
    redirect_uri: `https://auth.tesla.com/void/callback`
  })
);
const token = JSON.parse(res.body);
token.issuer = issuer;
return token;

// Response: Tokens!!!

PHP:

public function base64UrlEncode($data) {
    return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');
}

// Generate a random state identifier string (10 bytes = 16 characters)
$state = $this->base64UrlEncode(random_bytes(10));
// Generate a random code verifier string (64 bytes = 86 characters)
$codeVerifier = $this->base64UrlEncode(random_bytes(64));
// SHA-256 hash the codeVerifier string
$hash = hash("sha256", $codeVerifier, true);
$codeChallenge = $this->base64UrlEncode($hash);

// click the URL in the browser, decode the resulting Tesla URL, land here to trade in the code for an access token

$ch = curl_init("https://auth.tesla.com/oauth2/v3/token");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode([
    "grant_type" => "authorization_code",
    "client_id" => "ownerapi",
    "code_verifier" => $codeVerifier,
    "code" => $code,
    "redirect_uri" => "https://auth.tesla.com/void/callback"
]));
curl_setopt($ch, CURLOPT_HEADER, true);
/*curl_setopt($ch, CURLOPT_HTTPHEADER, [
    "Content-Type: application/json",
    "Cache-Control: no-cache",
    "Connection: keep-alive",
    "Accept-Encoding: gzip, deflate, br"
]);*/
$response = curl_exec($ch);
Log::info($response);
curl_close($ch);

// Response: Access Denied - AkamaiGHost

[malina-nimbee]

@tominal I am trying to solve this issue, but your comment seems to be little bit confusing as you are calling the token endpoint instead of authorize. Can you please confirm, that nodejs really works for the question asked above?

[tominal]

@tominal ... you are calling the token endpoint instead of authorize.

No, authorize is called from the user's browser. Token is the exchange of the code received from authorize.

It has been a while but I'm still sure that there is some minor difference in the PHP implementation that I'm not seeing causing it to fail. Node.js still works to get my tokens afaik.

[the-mace]

I don't have an answer but the docs are a bit unclear around the "set-cookie header" since there are multiple "Set-Cookie" headers in the response. For the OP they picked just one (tesla-auth.sid) but in a network trace I see multiple "Set-Cookie" headers being echo'd back in the post request.

I tried providing them all in the cookie header but that didnt help the 403 problem.

I don't think it has anything to do with the code challenge as step 2 is not yet at a stage for verification (seems to happen in step 3)

For hidden values I wasnt sure of the notation, I did this:

    body = {
        'identity': email,
        'credential': password,
    }
    for h in hidden_values:
        body[h] = hidden_values[h]

   ...
   encoded_body = urllib.parse.urlencode(body)
   ...
    response = requests.post(
        url=url,
        headers=headers,
        params=params,
        data=encoded_body,
    )

That gets me to a application/x-www-form-urlencode format for the body with the hidden values.

Anyway i'm stuck too and have tried a few things but something is missing.