Login broken

[Urkman]

Hello,

the login to the Tesla API is broken since today.
We get this error:
{"error":"invalid_request","error_description":"Invalid code_verifier","error_uri":"https://auth.tesla.com/error/reference/1d9f8f73-8335-40b1-ad8b-e6d23ce673e8-1676459376419"}

This seems to be broken for everybody:
tomhollander/TeslaAuth#30

Any ideas?

[Urkman]

Token generation on this site works:
https://tesla-info.com/tesla-token.php

[itsMeDavidV]

FYI for anyone looking into this, as of today 64 character code_verifier strings are no longer supported, only 86.

[mavese]

@dacastro4 what does the rest of your request look like? Does your body look like this:

{
    "grant_type": "authorization_code",
    "client_id": "ownerapi",
    "code": "<code>",
    "code_verifier": "<code_verifier>",
    "redirect_uri": "https://auth.tesla.com/void/callback"
}

Also thank you so much for the responses!

[mseminatore]

Just FYI: After generating the code verifier (86 characters) and running through S256 + Base64 and then cleaning it removing unsafe characters worked

    private fun cleanString(s: String): String {
        return s
            .replace("+", "-")
            .replace("/", "_")
            .replace("=", "")
            .trim { it <= ' ' }
    }

Here is the code that I am using in JS:

function generateCodeChallenge(verifier) {
    var hash = crypto.createHash('sha256');
    hash.update(verifier);
    return hash.digest('base64')
        .replace(/=/g, '')
        .replace(/\+/g, '-')
        .replace(/\//g, '_')
        .replace(/[^\x20-\x7e]+/g, '')
        ;
}

[JorenVos]

I've started using this library for my React Native-project and this solves the issue:
https://github.com/dcangulo/react-native-pkce-challenge

[Thor-Herman]

Using a web view so the user can log in and then getting the code for step 3 worked for me. Also had to use react-native-pkce-challenge library for generating the challenge and verifier. Did not need to use TLS 1.2 either

[sarvold]

@Thor-Herman sorry for the off-topic but if I may ask, how were you able to get the code from the redirect url? I'm on expo and tried different libraries but was never able to properly get the authorization code from the not found page after authentication.

[Urkman]

mine:

{
  "client_id" : "ownerapi",
  "code" : "7cebe4a9abb80edf8af5ee13691ae3cb41df.....",
  "redirect_uri" : "https:\/\/auth.tesla.com\/void\/callback",
  "code_verifier" : "510d828d88af6446a9ca8....",
  "client_secret" : "c7257eb71a564034f9419...",
  "grant_type" : "authorization_code"
}

[seiichinagai]

Where does client_secret come from?

[Urkman]

The question ist what does the "code_verifier" verify if it is just a random string... ?

[mavese]

Should be verifying the code_challenge because that is the hashed and encoded code_verifier.

[timdorr]

This is described in the spec: https://www.oauth.com/oauth2-servers/pkce/authorization-request/

[Urkman]

@timdorr thanks... This brought me to a solution... Fixed it for me :)

[mavese]

@Urkman Could you share how you fixed it?

[Urkman]

Sure... I used the code to generate the code_verifier and the challenge from this page:
https://bootstragram.com/blog/oauth-pkce-swift-secure-code-verifiers-and-code-challenges/

This is Swift code...

[brianflex]

Thanks, this really helped.

[jonasman]

what is the 86 char string that you are using?

[brianflex]

It should be random. Some C# code:

    static readonly Random Random = new Random();

    static string RandomString(int length)
    {
        // Technically this should include the characters '-', '.', '_', and '~'.  
        const string chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
        lock (Random)
        {
            return new string(Enumerable.Repeat(chars, length)
                .Select(s => s[Random.Next(s.Length)]).ToArray());
        }
    }

[jonasman]

already figured it out.
I had a bug somewhere else

[epologee]

Hi @Urkman, did you figure out what the issue was? We're encountering the same error since last week (anything to do with the big Tesla API outage?), even thought is was working fine for over a year.

[epologee]

For posterity: it seems the only changes we needed to make was to use the non-hex Digest::SHA256.digest on the code_verifier string and set padding: false on the Base64.urlsafe_encode64 call method call. The login! method itself is not very useful anymore since Tesla added the Captcha-challenge to the SSO page (at https://auth.tesla.com/oauth2/v3/authorize?client_id=...), but if you open that in a browser and let the Tesla-owners log in and pass the Captcha, your app can exchange the token again with the regular digest and base64 encoding. Cheers!

[benderl]

I had to modify my PHP version:

function generateRandomString($length = 10) {
	$character_list = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
	return substr(str_shuffle(str_repeat($character_list, ceil($length/strlen($character_list)) )),1,$length);
}

function gen_challenge() {
	$code_verifier = generateRandomString(86);
	$code_challenge = rtrim(strtr(base64_encode(hash('sha256', $code_verifier, true)), '+/', '-_'), '='); 
	$state = rtrim(strtr(base64_encode(generateRandomString(12)), '+/', '-_'), '='); 

	return array("code_verifier" => $code_verifier, "code_challenge" => $code_challenge, "state" => $state);
}

Seems like we need to use byte output from the hash function. In PHP you have to pass true as the third parameter raw_output.

[Urkman]

I used this tutorial to generate the code verifier in Swift: https://bootstragram.com/blog/oauth-pkce-swift-secure-code-verifiers-and-code-challenges/

[aesculus]

I had to modify my PHP version:

function generateRandomString($length = 10) {
	$character_list = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
	return substr(str_shuffle(str_repeat($character_list, ceil($length/strlen($character_list)) )),1,$length);
}

function gen_challenge() {
	$code_verifier = generateRandomString(86);
	$code_challenge = rtrim(strtr(base64_encode(hash('sha256', $code_verifier, true)), '+/', '-_'), '='); 
	$state = rtrim(strtr(base64_encode(generateRandomString(12)), '+/', '-_'), '='); 

	return array("code_verifier" => $code_verifier, "code_challenge" => $code_challenge, "state" => $state);
}

Seems like we need to use byte output from the hash function. In PHP you have to pass true as the third parameter raw_output.

Would you mind sharing your complete PHP code for the API access?

[benderl]

https://github.com/snaptec/openWB/blob/master/modules/soc_tesla/tesla.php

[aesculus]

Thank you

[giddie]

Something weird here that could help others: in debugging this issue we found that our app was re-hashing the verifier before sending it with the code grant to obtain an access token. I have no idea why it was implemented that way, but it was working just fine previously. It's most definitely out of spec for PKCE, though. Either Tesla was ignoring the verifier, or they had a really weird implementation of PKCE.

Now we send the raw verifier, as per the PKCE spec, and all seems to work as expected. The minimum required verifier length is 43, as expected. Note that the verifier length is measured as sent in the URL param. This is not a byte length that is then urlsafe base64 encoded: it is the final string length. The method by which the verifier is generated is not covered in the spec. The important thing is that it must be >= 43 characters long and contain only the specified characters (which happens to be very easy to achieve with urlsafe base64 encoding, with a bit of maths to get the right length).

PKCE verifier spec:
https://datatracker.ietf.org/doc/html/rfc7636#section-4.1