Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement re-authentication of expired OAuth (Single ID) tokens #250

Closed
Vitani opened this issue Sep 16, 2024 · 31 comments
Closed

Implement re-authentication of expired OAuth (Single ID) tokens #250

Vitani opened this issue Sep 16, 2024 · 31 comments
Assignees
Labels
enhancement New feature or request help wanted Extra attention is needed

Comments

@Vitani
Copy link
Contributor

Vitani commented Sep 16, 2024

When I get the error (in the logs) Token request for indego failed (invalid_grant): ABC123: The provided grant has expired. Please re-authenticate and try again. I know I have to re-authenticate, but the only way I can seem to do that is to delete the integration and re-add it; is that the correct way, or am I missing an alternative?

@Larnak23
Copy link

Same for me

@kimzeuner
Copy link
Contributor

i think at the moment this is the only (and therefore correct) way to re-authenticate. I don't know if there will be another solution in the future.

Copy link

github-actions bot commented Oct 1, 2024

This issue is stale because it has been open for 14 days with no activity.

@github-actions github-actions bot added the stale Stale issues or pull requests label Oct 1, 2024
@brononius
Copy link

I'm also checking for an easier way to renew the token...

@github-actions github-actions bot removed the stale Stale issues or pull requests label Oct 8, 2024
Copy link

This issue is stale because it has been open for 14 days with no activity.

@github-actions github-actions bot added the stale Stale issues or pull requests label Oct 22, 2024
@sander1988 sander1988 removed the stale Stale issues or pull requests label Nov 2, 2024
@sander1988
Copy link
Owner

Currently there is no way to renew an expired token. You have to remove and re-add the mower.

I will keep this issue open. As it might be a nice improvement for a future release.

@dvdmaz
Copy link

dvdmaz commented Nov 3, 2024

Thank you Sander, we really appreciate your efforts!

@Rosi2143
Copy link
Collaborator

Rosi2143 commented Nov 3, 2024

Thanks @sander1988.

I will keep looking at this issue - every once in a while.

sander1988 added a commit that referenced this issue Nov 11, 2024
@sander1988
Copy link
Owner

sander1988 commented Nov 11, 2024

This has been implemented and is available for testing on the dev branch. HA will now show a warning and a reconfigure button when the authentication fails.
indego-reauth

@Vitani - I had to make the assumption that the Bosch API reports HTTP error code 401 in this case. As the error log/stacktrace is missing in the issue description. Maybe you still have the original error?

@sander1988
Copy link
Owner

This change requires some new translations (see the EN file in commit 517f97b). I have added them for EN and NL.

Can someone provide DE, FR, PL and/or SK?

@sander1988 sander1988 self-assigned this Nov 11, 2024
@sander1988 sander1988 added enhancement New feature or request help wanted Extra attention is needed labels Nov 11, 2024
@kimzeuner
Copy link
Contributor

I will take care of the DE translations tomorrow.

@Vitani
Copy link
Contributor Author

Vitani commented Nov 11, 2024

@sander1988 I don't have the original logs, sorry

@pbwild

This comment has been minimized.

@sander1988
Copy link
Owner

@pbwild - Please open a new issue for your error (and answer the questions in the template). The error doesn't seem to be related to this issue.

@kimzeuner
Copy link
Contributor

Here is the updated de.json translation file.

de.json

@urbatecte
Copy link

Hi there !
Here is the updated french translation.
fr.json

Cheers.

@sander1988
Copy link
Owner

Thank you @kimzeuner and @urbatecte for the DE and FR translations. I just merged the files on the dev branch.

@sander1988
Copy link
Owner

Was anyone able to test this new feature due to an expired token? I would like some feedback before merging and releasing it.

I faked expired tokens during testing, but I would like to know/see if it works for real.

@sander1988 sander1988 changed the title Question: what is the correct way to re-authenticate the integration? Implement re-authentication of expired OAuth (Single ID) tokens Nov 15, 2024
@mintar
Copy link

mintar commented Nov 16, 2024

I'd be willing to test this (I have a currently-broken install with expired tokens after the upgrade to 5.7.7), but I couldn't figure out how to switch to the develop branch.

@kimzeuner
Copy link
Contributor

I think with the new HACS it is no longer possible to load develop branches or beta version through HACS. I think you will have to go to the indego integration on github. There you will find a button with "main" in the upper left corner (next to the box where the files and folders are listed). There you have to choose "develop". Download the files from "custom_components/indego" and copy them to your HA instance (again in the folder "custom_components/indego". After a HA restart it should have the new version. You can download the whole directory as a zip file.

@mintar
Copy link

mintar commented Nov 16, 2024

Thanks @kimzeuner, that did the trick. I was looking for an official way to do it because replacing the files under the hood seemed a bit hacky, but I found none.

Anyways, @kimzeuner's method worked, and I'm now on the develop branch (commit 209e359). However, I don't see the "Opnieuw configureren" button:

grafik

It should also be noted that I don't get a 401 error, but a 400 error. My logs look like this:


Logger: homeassistant.config_entries
Quelle: config_entries.py:635
Erstmals aufgetreten: 14. November 2024 um 08:20:22 (2 Vorkommnisse)
Zuletzt protokolliert: 16:58:51

Error setting up entry rasi (XXXXXXXXX) for indego
Traceback (most recent call last):
  File "/usr/src/homeassistant/homeassistant/config_entries.py", line 635, in __async_setup_with_context
    result = await component.async_setup_entry(hass, self)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/config/custom_components/indego/__init__.py", line 235, in async_setup_entry
    await indego_hub.update_generic_data_and_load_platforms(load_platforms)
  File "/config/custom_components/indego/__init__.py", line 472, in update_generic_data_and_load_platforms
    generic_data = await self._update_generic_data()
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/config/custom_components/indego/__init__.py", line 730, in _update_generic_data
    await self._indego_client.update_generic_data()
  File "/usr/local/lib/python3.12/site-packages/pyIndego/indego_async_client.py", line 276, in update_generic_data
    self._update_generic_data(await self.get(f"alms/{self.serial}"))
                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/pyIndego/indego_async_client.py", line 583, in get
    return await self._request(method=Methods.GET, path=path, timeout=timeout)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/pyIndego/indego_async_client.py", line 478, in _request
    await self.start()
  File "/usr/local/lib/python3.12/site-packages/pyIndego/indego_async_client.py", line 78, in start
    self._token = await self._token_refresh_method()
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/config/custom_components/indego/__init__.py", line 405, in async_token_refresh
    await session.async_ensure_token_valid()
  File "/usr/src/homeassistant/homeassistant/helpers/config_entry_oauth2_flow.py", line 531, in async_ensure_token_valid
    new_token = await self.implementation.async_refresh_token(self.token)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/homeassistant/homeassistant/helpers/config_entry_oauth2_flow.py", line 103, in async_refresh_token
    new_token = await self._async_refresh_token(token)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/homeassistant/homeassistant/helpers/config_entry_oauth2_flow.py", line 193, in _async_refresh_token
    new_token = await self._token_request(
                ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/homeassistant/homeassistant/helpers/config_entry_oauth2_flow.py", line 226, in _token_request
    resp.raise_for_status()
  File "/usr/local/lib/python3.12/site-packages/aiohttp/client_reqrep.py", line 1157, in raise_for_status
    raise ClientResponseError(
aiohttp.client_exceptions.ClientResponseError: 400, message='Bad Request', url='https://prodindego.b2clogin.com/prodindego.onmicrosoft.com/b2c_1a_signup_signin/oauth2/v2.0/token'


----------------------------------------------------------------------

Logger: homeassistant.helpers.config_entry_oauth2_flow
Quelle: helpers/config_entry_oauth2_flow.py:220
Erstmals aufgetreten: 14. November 2024 um 08:20:22 (2 Vorkommnisse)
Zuletzt protokolliert: 16:58:51

Token request for indego failed (invalid_grant): AADB2C90080: The provided grant has expired. Please re-authenticate and try again. Current time: 1731568822, Grant issued time: 1730890132, Grant sliding window expiration time: 1730920481.
 Correlation ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 Timestamp: 2024-11-14 07:20:22Z
Token request for indego failed (invalid_grant): AADB2C90080: The provided grant has expired. Please re-authenticate and try again. Current time: 1731772731, Grant issued time: 1730890132, Grant sliding window expiration time: 1730920481.
 Correlation ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 Timestamp: 2024-11-16 15:58:51Z

Let me know if you need any additional information. And also thanks for looking into this issue!

@mintar
Copy link

mintar commented Nov 16, 2024

Oh, by the way, the logs above were from 5.7.7. With develop, there's no stack trace any more, but still the same error 400:

Logger: custom_components.indego
Quelle: custom_components/indego/__init__.py:243
Integration: Bosch Indego Mower (Dokumentation)
Erstmals aufgetreten: 20:27:38 (1 Vorkommnisse)
Zuletzt protokolliert: 20:27:38

Login unsuccessful: 400, message='Bad Request', url='https://prodindego.b2clogin.com/prodindego.onmicrosoft.com/b2c_1a_signup_signin/oauth2/v2.0/token'

-------------------------------

Logger: homeassistant.helpers.config_entry_oauth2_flow
Quelle: helpers/config_entry_oauth2_flow.py:220
Erstmals aufgetreten: 20:27:38 (1 Vorkommnisse)
Zuletzt protokolliert: 20:27:38

Token request for indego failed (invalid_grant): AADB2C90080: The provided grant has expired. Please re-authenticate and try again. Current time: 1731785258, Grant issued time: 1730890132, Grant sliding window expiration time: 1730920481.
 Correlation ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx
 Timestamp: 2024-11-16 19:27:38Z

@sander1988
Copy link
Owner

sander1988 commented Nov 17, 2024

Are you sure the user-agent is set to a value that's known to have worked before? As normally 400 = Azure WAF blocking the request (which it does for unknown reasons for some user-agents), 401 = OAuth token issue.

@mintar
Copy link

mintar commented Nov 17, 2024

I'm using "Rasi Indego (3.2.0)" as a user agent, and that has worked before. I've changed it to "Rasi2 Indego (3.2.0)", same error.

Did you look at the "Token request has failed" error message as well?

@sander1988
Copy link
Owner

Can you perform a test by changing this line https://github.com/sander1988/Indego/blob/develop/custom_components/indego/__init__.py#L239 to:

if exc.status >= 400 and exc.status < 500:

Make sure you don't break the indention of the file.

This should show the reconfigure button ("opnieuw configureren") for all 4XX errors. I'm wondering if the reconfigure flow can get you out of your current OAuth state. Please share the results.

@mintar
Copy link

mintar commented Nov 17, 2024

Yes, it's working beautifully! The reconfigure flow could fix my current OAuth state.

Here are some screenshots of the new "reconfigure" button:

grafik

grafik

grafik

And here are my very verbose notes of what I did:

  • made the change to line 239 that @sander1988 suggested
  • restarted HA
  • reconfigure button ("Neu konfigurieren") is now showing, repair is showing
  • installed the Chrome extension (HomeAssistant Indego authentication helper)
  • opened home assistant in Chromium
  • clicked the reconfigure button
  • this took me to the singlekey-id.com website
  • logged in, confirmed "Link account to Home Assistant?" dialog
  • Got a success message in HA: "Bosch Indego Mower: Re-Authentifizierung war erfolgreich. Zugang zur Bosch API wurde wiederhergestellt."
  • Everything works again, as far as I can tell! I already took the mower inside for this season, so I can't test whether the mower actually works, but the connection to the Bosch cloud is definitely working again.

@sander1988
Copy link
Owner

@mintar - Thank you for testing and feedback!

I will do some more tests and make the change permanent when I'm sure it doesn't break anything.

@Sboobby31
Copy link

Hi @sander1988,
As workaround, using "Rasi Indego (3.2.0)" as user agent works,
Regards

@kimzeuner
Copy link
Contributor

Hi,
i had the 400 error yesterday, so i tried the develop branch and made the changes in init.py as suggested. The re-authentication fixed the error. Just wanted to confirm that it is working.
Regards

@sander1988
Copy link
Owner

Ok. Thank you for confirming.

sander1988 added a commit that referenced this issue Dec 8, 2024
@sander1988
Copy link
Owner

Version 5.7.8 has been released; containing this new feature.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Development

No branches or pull requests