API changed to https://identity.vwgroup.io/signin-service/v1

[andig]

After receiving

Konto gesperrt wegen Überschreitung fehlerhafter Logins

errors for some time I've noticed that- when logging into my.audi.com- that the signin flow now uses https://identity.vwgroup.io/signin-service/v1. Can anyone confirm if the app is doing the same and help reworking the login?

[andig]

For a few days now, the messagae has changed when getting the token from https://msg.audi.de/fs-car/core/auth/v1/Audi/DE/token:

{
    "error":"invalid_grant",
    "error_description":
    "Bitte überprüfen Sie Ihre eingegebenen Daten."
}

[insert10p]

I've been getting the same. The last time it worked for me was the 9th August On 16 Aug 2020, at 11:38, andig <notifications@github.com> wrote:  For a few days now, the messagae has changed when getting the token from https://msg.audi.de/fs-car/core/auth/v1/Audi/DE/token: { "error":"invalid_grant", "error_description": "Bitte überprüfen Sie Ihre eingegebenen Daten." } — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

[andig]

If anyone could use something like mitmproxy on Android that would help. The iOS Audi app uses certificate pinning which didn't allow me to debug any further.

[davidgiga1993]

The android app also uses certificate pinning, you need to unpack the app, replace the certificate, pack the app and install it again.
Or simple decompile it. I'll take a look at it later to see if I find something

[Mr-Staffman]

The android app also uses certificate pinning, you need to unpack the app, replace the certificate, pack the app and install it again.
Or simple decompile it. I'll take a look at it later to see if I find something

Found this on a forum:

{
"issuer": "https://identity.vwgroup.io",
"authorization_endpoint": "https://identity.vwgroup.io/oidc/v1/authorize",
"token_endpoint": "https://app-api.my.audi.com/myaudiappidk/v1/token",
"revocation_endpoint": "https://app-api.my.audi.com/myaudiappidk/v1/revoke",
"end_session_endpoint": "https://identity.vwgroup.io/oidc/v1/logout",
"jwks_uri": "https://identity.vwgroup.io/oidc/v1/keys",
"userinfo_endpoint": "https://identity-userinfo.vwgroup.io/oidc/userinfo",
"response_types_supported": ["code", "token", "id_token", "code token", "code id_token", "token id_token", "code token id_token"],
"subject_types_supported": ["public"],
"id_token_signing_alg_values_supported": ["RS256"],
"code_challenge_methods_supported": ["S256"],
"scopes_supported": ["aboutMe", "address", "affinity", "badge", "battery", "birthdate", "birthplace", "carConfigurations", "carMeasurements", "cars", "charging", "climatisation", "dealers", "doors_windows", "driversLicense", "ecus", "email", "errors", "fuelLevels", "gallery", "intExtTemperature", "lock_unlock", "manageCharging", "manageClimatisation", "manageDestinations", "mbb", "mileage", "name", "nationalIdentifier", "nationality", "navigation", "nickname", "openid", "parking_position", "phone", "picture", "preferred_language", "profession", "profile", "range", "vehicleLights", "vehicleOnlineCapabilities", "vin", "warning_lights", "we_connect_vehicles", "wl_raw"],
"claims_supported": ["iss", "sub", "aud", "iat", "exp", "nonce", "name", "email", "email_verified", "phone_number", "phone_number_verified", "updated_at"],
"grant_types_supported": ["access_token", "refresh_token", "authorization_code", "client_credentials"],
"ui_locales_supported": ["bg", "bs", "cs", "cs-CZ", "da", "da-DK", "da-GL", "de", "de-AT", "de-BG", "de-CH", "de-DE", "de-LI", "de-LU", "de-PL", "el", "el-CY", "el-GR", "en", "en-AE", "en-AL", "en-AM", "en-AU", "en-AZ", "en-BA", "en-BG", "en-BH", "en-BN", "en-BW", "en-CA", "en-CL", "en-CN", "en-CY", "en-DK", "en-FI", "en-GB", "en-GE", "en-GI", "en-GL", "en-GR", "en-HU", "en-ID", "en-IE", "en-IL", "en-IN", "en-IS", "en-JO", "en-KW", "en-KZ", "en-LS", "en-LT", "en-LV", "en-MD", "en-ME", "en-MK", "en-MT", "en-MY", "en-MZ", "en-NA", "en-NO", "en-NZ", "en-OM", "en-PH", "en-QA", "en-RO", "en-RS", "en-SA", "en-SE", "en-SG", "en-SG", "en-SK", "en-TH", "en-TW", "en-UA", "en-US", "en-UZ", "en-ZA", "es", "es-AD", "es-AR", "es-CL", "es-ES", "es-IC", "es-MX", "es-MX", "et", "et-EE", "fi", "fi-FI", "fr", "fr-AD", "fr-BE", "fr-CA", "fr-CH", "fr-FR", "fr-LU", "fr-MC", "hr", "hr-HR", "hu", "hu-HU", "is", "it", "it-CH", "it-IT", "it-SM", "it-VA", "ja", "ja-JP", "ko-KR", "lt", "lt-LT", "lv", "lv-LV", "mk", "nl", "nl-BE", "nl-NL", "no", "no-NO", "pl", "pl-PL", "pt", "pt-BR", "pt-BR", "pt-PT", "ro", "ru", "ru-BY", "ru-BY", "ru-RU", "ru-UA", "sk", "sk-SK", "sl", "sl-SI", "sq", "sr", "sv", "sv-SE", "tr", "tr-TR", "uk", "zh", "zh-CN", "zh-TW"],
"acr_values_supported": ["https://identity.vwgroup.io/assurance/loa-2", "https://identity.vwgroup.io/assurance/loa-3"],
"token_endpoint_auth_methods_supported": ["client_secret_post", "client_secret_basic"]
}

[andig]

@Mr-Staffman is there a link to the discussion, too? This looks like a jwt token?

[cengler69]

@Mr-Staffman is there a link to the discussion, too? This looks like a jwt token?

I think it is taken from https://community.home-assistant.io/t/audi-mmi-support/46543/250

[andig]

Ping @davidgiga1993 any news? I'd be happy to update the flow but would need input from the app side. Thanks!

[andersop91]

Is this helping? I've seen and read about quite some smiliarities between VW and Audi. With regards to the server change, it seems even more similar at the time. This page is documenting the VW API: https://productdata.vwgroup.com/quick-start.html

[andig]

We‘re lacking client credentials, id and secret. We also don‘t know any of the api endpoints. These are all pieces of the puzzle but not a solution :(

[davidgiga1993]

I tried to recompile the app with the CA from mitmproxy (as I did the last time) but apparently there are some other checks I can't seem to find at the moment. Also recompiling is a giant pain since they switched to kotlin,

[andig]

Here is some detail from the Audi website login. I couldn't find out yet where the JWT token comes from:

Entering email:

Summary
URL: https://identity.vwgroup.io/signin-service/v1/c7c15e7f-135c-4bd3-9875-63838616509f@apps_vw-dilab_com/login/identifier
URL: https://identity.vwgroup.io/signin-service/v1/c7c15e7f-135c-4bd3-9875-63838616509f@apps_vw-dilab_com/login/authenticate?relayState=a80d15d83806832e7156ae0148a32e00ba12a0cc&email=cpuidle%40gmx.de
Status: 200 OK
Source: Network
Address: 127.0.0.1:9000

Request
GET /signin-service/v1/c7c15e7f-135c-4bd3-9875-63838616509f@apps_vw-dilab_com/login/identifier
Referer: https://identity.vwgroup.io/signin-service/v1/signin/c7c15e7f-135c-4bd3-9875-63838616509f@apps_vw-dilab_com?relayState=a80d15d83806832e7156ae0148a32e00ba12a0cc
Origin: https://identity.vwgroup.io
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Safari/605.1.15

Redirect Response
303 See Other
Pragma: no-cache
Expires: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Location: /signin-service/v1/c7c15e7f-135c-4bd3-9875-63838616509f@apps_vw-dilab_com/login/authenticate?relayState=a80d15d83806832e7156ae0148a32e00ba12a0cc&email=cpuidle%40gmx.de
Date: Wed, 02 Sep 2020 06:55:50 GMT

Request
POST /signin-service/v1/c7c15e7f-135c-4bd3-9875-63838616509f@apps_vw-dilab_com/login/authenticate HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Origin: https://identity.vwgroup.io
Cookie: SESSION=ZmNlM2Y0NjctMGEyZS00MzQxLWEwZWMtYTkyNzUyZTVkNDI4; vcap_journey=54dd3294-02ae-46e2-a010-7ddfbc5546cf
Accept-Encoding: gzip, deflate, br
Host: identity.vwgroup.io
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Safari/605.1.15
Accept-Language: en-us
Referer: https://identity.vwgroup.io/signin-service/v1/signin/c7c15e7f-135c-4bd3-9875-63838616509f@apps_vw-dilab_com?relayState=a80d15d83806832e7156ae0148a32e00ba12a0cc
Connection: keep-alive

Response
HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Pragma: no-cache
X-XSS-Protection: 1; mode=block
Content-Language: de-DE
Expires: 0
Transfer-Encoding: Identity
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Date: Wed, 02 Sep 2020 06:55:50 GMT
Connection: keep-alive
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Vcap-Request-Id: 74bd32a9-0610-43f0-7d9f-9fcbf3db4f39
Strict-Transport-Security: max-age=31536000 ; includeSubDomains

Query String Parameters
relayState: a80d15d83806832e7156ae0148a32e00ba12a0cc
email: XXX

Request Data
MIME Type
Request Data: 

Entering password:

Summary
URL: https://userinfo.my.audi.com/login/redirect?state=PlbQXPCWHcDi7ruQatoVRCVnG3c&code=eyJraWQiOiJkMzg2NWIxNzMwZDliMmQzIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiI0MTg3ODJjMS1lZGM5LTQ0ZWQtODg5ZC05MjA3ODJjMDA3NjQiLCJhdWQiOiJjN2MxNWU3Zi0xMzVjLTRiZDMtOTg3NS02MzgzODYxNjUwOWZAYXBwc192dy1kaWxhYl9jb20iLCJhY3IiOiJodHRwczpcL1wvaWRlbnRpdHkudndncm91cC5pb1wvYXNzdXJhbmNlXC9sb2EtMiIsInNjcCI6Im9wZW5pZCBwcm9maWxlIGFkZHJlc3MgYmlydGhkYXRlIGJpcnRocGxhY2UgcGhvbmUgYmFkZ2UgdmluIG5hdGlvbmFsSWRlbnRpZmllciBuYXRpb25hbGl0eSBwcm9mZXNzaW9uIiwiYWF0IjoiaWRlbnRpdHlraXQiLCJpc3MiOiJodHRwczpcL1wvaWRlbnRpdHkudndncm91cC5pbyIsImp0dCI6ImF1dGhvcml6YXRpb25fY29kZSIsImV4cCI6MTU5OTAyOTcyNiwiaWF0IjoxNTk5MDI5NDI2LCJub25jZSI6IktvYklEN1VLZWd2eTlQbDc5VzItY0JCSERXaGFleHFrb2sweGNycTU0UEEiLCJqdGkiOiIxZjIzYzc5MC02MDJiLTQwMDMtODU4Mi05ZDc4MDg3YzY1MzUifQ.dwxfbBb7nIc8B47Fn3-B_TwtWqLXp3V1daUwGHTDAAlD3Fk3QGDPLyZ824N1ZXsBfEXiyibkot6YYE29YvToRtwbOrvYY8n9_8_mvumDm986m-oScLOH43mB1VdCLZ62ZrQmOOpHAHORerESFCehIVnL3yMLFfe78Ts2afmMIAmqe11uHu0o9t6KpcgH2hUWhRHCX-P7IJJNoTTRDpo0eceai2yVhcxCDoCNaXlnVzf3kbD-bZmPjj8fcgg1A8jJkzIDqW1SXu0VXnqRRMK8LgfbFvew9P9VQ7DTBb_pMsY3XJFuuGwex96Iiy2udtzSVDWh-5FxZ6dUqS9Iyvgb_ykLM1hipRlFgXKk9rCQo5HJWGExfy6abeGvAKodHPSyqZd8bJN6Cw6i0jv3-l-9NL9tXKOllebdE8xbLOwZlF1cs9DWRvnX7zX7trT9umjrZ8H6oD0iNmkazD5tAwhdbtk2J9bpRwHc5cKENbz9rOl0j39VovYbrFjQuuwe88Wwvt7z3O5jPKpXQ_QlhJdjKrCQ3TNaSF-wQs058FUpnLJiU4e4LKpHLWJUuobXeZBiI_TamKcJ8A5ppon_V8HFyg1lV_vCK-yxDWlNJytBXifLgQH22kADKI6V0zjaixuZFgSeuJNpkv7cWhGUxcZ3mYPRuD41Sj1DlbORPcRT7sQ
URL: https://userinfo.my.audi.com/login/idk?ui_locales=de-DE
URL: https://my.audi.com/
Status: 200 OK
Source: Network
Address: 127.0.0.1:9000

Request
GET /login/redirect
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us
Referer: https://identity.vwgroup.io/
Accept-Encoding: gzip, deflate, br
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Safari/605.1.15

Redirect Response
302 Moved Temporarily
Location: https://userinfo.my.audi.com:443/login/idk?ui_locales=de-DE
Date: Wed, 02 Sep 2020 06:50:27 GMT
Vary: x-forwarded-host, Accept-Encoding

Request
GET /login/idk
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Safari/605.1.15
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us
Referer: https://identity.vwgroup.io/
Accept-Encoding: gzip, deflate, br

Redirect Response
302 Moved Temporarily
Location: https://my.audi.com/
Date: Wed, 02 Sep 2020 06:50:27 GMT
Vary: x-forwarded-host, Accept-Encoding

Request
GET / HTTP/1.1
Cookie: mod_auth_openidc_session_live=037d50e1-caeb-4a2b-be72-feb903662a52; _ens_perf=W10=; _ens_prev=eyJlVmFyNSI6ImxhbmRpbmdwYWdlfG5vIGxldmVsfG5vIGxldmVsfG5vIGxldmVsIiwiZVZhcjM3IjoibGFuZGluZ3BhZ2UiLCJlVmFyODkiOiJsYW5kaW5ncGFnZSIsInBhZ2VVUkwiOiJodHRwczovL215LmF1ZGkuY29tLyJ9; _ens_sid=azgyNnRrV1k3TER4; _ens_vn=eyJjYSI6Im15QXVkaSAyLjAiLCJjcyI6Im15QXVkaSAyLjAiLCJpZCI6ImszbmN0bUlHMWZ4biIsInBhIjoibm9uZSIsInBzIjoibm9uZSIsImx1IjoxNTk5MDI5NDE0NDE3LCJvbGQiOnRydWUsImFwcHMiOnsibXlBdWRpIDIuMCI6eyJlcCI6ImxhbmRpbmdwYWdlIiwidm4iOjMsImx2IjoyMSwiaWQiOiJrODI2dGtXWTdMRHgiLCJsdSI6MTU5OTAyOTQxMTA3OH19LCJzaXRlcyI6eyJteUF1ZGkgMi4wIjp7ImVwIjoibGFuZGluZ3BhZ2UiLCJ2biI6MywibHYiOjIxLCJpZCI6Ims4MjZ0a1dZN0xEeCIsImx1IjoxNTk5MDI5NDExMDc4fX19; AMCV_097B467352782F130A490D45%40AdobeOrg=1585540135%7CMCIDTS%7C18508%7CMCMID%7C49925485180746582551935600341652537949%7CMCAAMLH-1599634210%7C6%7CMCAAMB-1599634210%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y%7CMCOPTOUT-1599036610s%7CNONE%7CMCAID%7CNONE%7CvVersion%7C4.4.0%7CMCSYNCSOP%7C411-18272; s_cc=true; s_ecid=MCMID%7C49925485180746582551935600341652537949; AMCVS_097B467352782F130A490D45%40AdobeOrg=1; myaudi-csrf-token=9279a434-6f2f-477c-b1d7-c007b05b8b52; myaudi-teaser-hide-destination-inject=true; myaudi-session-data={}; myaudi-locale=de-DE; myaudi-cookie-policy=accepted
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Host: my.audi.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Safari/605.1.15
Accept-Language: en-us
Referer: https://identity.vwgroup.io/
Connection: keep-alive

Response
HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://pre-myaudi-service-appointment.audi.com,https://pre-myaudi-service-appointment1.audi.com
Content-Type: text/html;charset=utf-8
Content-Security-Policy: frame-ancestors 'none'
Content-Encoding: gzip
Set-Cookie: SMSESSION=eyJraWQiOiJkMzg2NWIxNzMwZDliMmQzIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiI0MTg3ODJjMS1lZGM5LTQ0ZWQtODg5ZC05MjA3ODJjMDA3NjQiLCJhdWQiOiJjN2MxNWU3Zi0xMzVjLTRiZDMtOTg3NS02MzgzODYxNjUwOWZAYXBwc192dy1kaWxhYl9jb20iLCJzY3AiOiJvcGVuaWQgcHJvZmlsZSBhZGRyZXNzIGJpcnRoZGF0ZSBiaXJ0aHBsYWNlIHBob25lIGJhZGdlIHZpbiBuYXRpb25hbElkZW50aWZpZXIgbmF0aW9uYWxpdHkgcHJvZmVzc2lvbiIsImFhdCI6ImlkZW50aXR5a2l0IiwiaXNzIjoiaHR0cHM6XC9cL2lkZW50aXR5LnZ3Z3JvdXAuaW8iLCJqdHQiOiJhY2Nlc3NfdG9rZW4iLCJleHAiOjE1OTkwMzMwMjcsImlhdCI6MTU5OTAyOTQyNywibGVlIjpbIkFVREkiXSwianRpIjoiYmMyNmUzNDMtMDgwYi00YzI1LTk0NzktOTM2OTMyYmMyY2U5In0.C72ThS-1I8uRzlmcHA8pGHHihcVyMzm3e0Ro5AwHXsAUmr_m0YyAiDnfARExKBfH9XCLSA1bb8zz0aZ09AYaZxdP8XnOqL8gzZIyf9GJBuKPjNJG_j9uGvw6BIHOucz35ka3nEbV8uODP2VNCZf29UeQX4o42WRu7i-Ck--zYoZsWPdu0h2lU70hpjAtjy8WgsSBteFTZhACYB8SwolYmfNAv8dk625Te7qlZop2wZL5AlfPqooH7kGf3382uEomS-jxcxXm_0W4DAM0n_AhuUcP5lV61GYGpwDDSyx1IXSKqL5a-PhEksWAnfTx4Kih0GKHyD-ekh32lfJHyWlPi5ZeNTW1Krk61qbAsLAK0nMEcdYP1x8s8vykwG5AekXheg6JOl2UQ41XM0jbVcqUXXkfVvL3uWQXGF1E7LsjxVAgvg_8FSKNxK7u2kwT6jrDnXVEzigSGDKOPcB8sIOg_S6fUFazBEkkG_LWeD0C54IO1TO8viHNrvnfM6ajC_-brHiXG2dqx-BGOPUCQYD-iwLK7AYDYElpVlF5oqKLQKqAbyOlY3t38t4eN1NzQfXYPzEDpD0suhx8oDc4dyyDqnzuRKqtEBw4-ODg-mZ3_WniY-iGOQUsnm_XHGFgF78sx2MbBQ09BgDQuddC6N0V4Cnk_NCKFdx9ZpXMziS2HNk; Domain=.audi.com; Path=/; HttpOnly; Secure
Set-Cookie: AKA_A2=A; expires=Wed, 02-Sep-2020 07:50:30 GMT; path=/; domain=audi.com; secure; HttpOnly
Transfer-Encoding: Identity
Link: <https://tms.audi.com>;rel="preconnect",<https://browser.my.audi.com>;rel="preconnect",<https://featureapps.audi.com>;rel="preconnect"
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Cache-Control: no-store, no-cache, must-revalidate
Date: Wed, 02 Sep 2020 06:50:30 GMT
Connection: keep-alive, Transfer-Encoding
ETag: W/"c4f5c-IM9BM4BfB/kRI1AK2b/3Gh7QR+Q"
Vary: Accept-Encoding
X-Frame-Options: deny
x-powered-by: Express
Server: Apache-Coyote/1.1
x-myaudi: m1
Strict-Transport-Security: max-age=31536000; includeSubDomains
x-envoy-upstream-service-time: 3196

I don't think this UI flow would help us much though.

[sandermvanvliet]

I’ve been banging my head against this with recompiling the APK after attempting to stub out the pinning in the okhttp client but so far no luck.

I did find the encrypted client Id and whatnot so I’ll be attempting to see if I can decrypt those

[andig]

@sandermvanvliet could you share client credentials, id and secret with cpuidle@gmx.de? I've also tried proxying the web application but no luck. It seems to use some type of embedded server component and does requests to localhost:port?

[sandermvanvliet]

Once I have them I'll share them.

As far as MTIM'ing goes, I've tried with Fiddler but it seems to be doing HTTP CONNECTs and I haven't been able to successfully intercept the verification checks.

[andersop91]

I've taken water over my head right here i believe. I've managed to recompile the app, and set up an proxy, but can't figure out the certificate issues. It's using pinned certificate? Doesn't manage to login with proxy in place. And I don't know enough about http traffic, jons, tokens and id's :-S
But it seems the login is completely the same in app and on website, though.

[andig]

But it seems the login is completely the same in app and on website, though.

Doh: I've cut the website login flow now and its a horrible endless chain of redirects.

1. redirect flow starting at GET https://userinfo.my.audi.com/login/idk?ui_locales=de-DE
2. login flow starting at POST https://identity.vwgroup.io/signin-service/v1/c7c15e7f-135c-4bd3-9875-63838616509f@apps_vw-dilab_com/login/identifier with the email. It is using _csrf, relayState and hmac - not sure where these are coming from?
3. the flow from 2. redirects to https://userinfo.my.audi.com/login/redirect?state which returns a jwt token
4. following the redirects returns another jwt token with unknown encoding:

{
  "alg": "dir",
  "enc": "A256GCM"
}

I'm stumped...

UPDATE Seems that A256GCM requires a shared key to decode (https://github.com/dvsekhvalnov/jose2go#verifying-decoding-and-decompressing-tokens).

[sandermvanvliet]

I've got a gist ready that can decrypt the values out of smali\de\audi\onetouch\backend\Secrets.smali.smali (after unpacking with apktool), you can find it here: https://gist.github.com/sandermvanvliet/1e5c0143d5a7272105030139e927811f

[andig]

@sandermvanvliet the keyBytes is from the source or one of the API responses?

[sandermvanvliet]

Nope that's from the decompiled sources.

[andig]

One of the (intermediate) keys I'm receiving looks like eyJhbGciOiAiZGlyIiwgImVuYyI6ICJBMjU2R0NNIn0..UYVc-SIAHefJpf3E.h09S2MbP0_3HFa7NPmX4jrcuNr8R2avSKzI-. The .. looks strange for a jwt token?

[andig]

The actual content api seems to have changed to an ugly json-based query language:

POST https://userinfo.my.audi.com/bvh/v1

{
    "query": "\n    query ($id: String!, $country: String!, $language: String!, $requestId: String!) {\n      vehicleStatusReportWithWarnings (id: $id, country: $country, language: $language, requestId: $requestId){\n        vin\n
vehicleType\n        lastUpdated\n        engines {\n          type\n          range {\n            value\n            unit\n          }\n          filling {\n            value\n            unit\n          }\n          adBlueRange {\n
        value\n            unit\n          }\n          electric {\n            chargingState\n            chargingTime\n          }\n        }\n        totalRange {\n          value\n          unit\n        }\n        mileage {\n
  value\n          unit\n        }\n        oilLevel {\n          value\n          unit\n        }\n        service {\n          oilChange {\n            time {\n              value\n              unit\n            }\n           
distance {\n              value\n              unit\n            }\n          }\n          inspection {\n            time {\n              value\n              unit\n            }\n            distance {\n              value\n
  unit\n            }\n          }\n        }\n        messages {\n          key\n          value\n        }\n        vsrWarnings {\n          textId\n          pictureId\n          timestamp\n        }\n        stoWarnings {\n         
eventId\n          txtId\n          picId\n          criticality\n          timeOfOccurence\n        }\n      }\n    }\n  ",
    "variables": {
        "country": "DE",
        "id": "VmVo...",
        "language": "de",
        "requestId": "86931324"
    }
}

The id in this case is base64-encoded Vehicle:VIN

The request uses

x-myaudi-request-id:  47aa3eb9-...
x-csrf-token:         a698de7d-...

...but apparently no auth token.

[sandermvanvliet]

Supposedly the client id for the IDK endpoint should be NdeSOLIavPcLo520L1mg but doing a /token POST doesn't work yet...

[sandermvanvliet]

Ok it turns out that this is a key to a keychain in the app. Digging further

[sandermvanvliet]

Ok so I’ve finally gotten past the certificate pinning. I’ll trace the logon stuff tomorrow, I’m getting there 👍

[davidgiga1993]

Nice! Would you mind sharing the apk somewhere?

[sandermvanvliet]

I've created a postman collection that has the full authentication flow working. You can find it here

One thing I noticed is that at step 7 it sometimes already returns the callback URI for the app as myaudi:///, in that case continue with step 9 instead of 8.

I noticed that the authentication flow is pretty similar to the one on the myAudi website (should have known while looking at the IDKWebViewClient class in the decompiled sources but oh well...), the only difference is in the client id's and the callback URI.

Interestingly this matches the VW app really closely so that should make some other folks happy I think.

[andig]

Note: in step 2 the order or the query parameters seems to matter, so no way of doing this nicely :(.

[LionelJeans]

sorry people, ashes on my head!
because of the temporary incorrect retrieval of the azs token, i had built in an abort logic. For me, however, this means that the important mmb token is no longer called up.
changed that and now it's working again.

[LionelJeans]

hello everyone, me again.
something has actually changed in the audi login.
when calling up the login page https://identity.vwgroup.io/signin-service/v1/signin/... you previously received a form_tag with the action, csrf, relaystate and hmac.
the form_tag has been coming since 28.01. 12:44 no longer with.
instead you get a script_tag containing a "window._IDK" structure.
the structure looks like this:

window._IDK = {
templateModel: {"clientLegalEntityModel":{"clientId":"09b6c...dfa8c24da@apps_vw-dilab_com","clientAppName":"Audi Ecosystem","clientAppDisplayName":"myAudi App","legalEntityInfo":{"name":"Audi","shortName":"AUDI","productName":"Audi ID","theme":"audi","defaultLanguage":"de","termAndConditionsType":"DEFAULT","legalProperties":{"revokeDataContact":"","imprintText":"IMPRINT","countryOfJurisdiction":"DE"}},"imprintTextKey":"imprint.link.text"},"template":"loginAuthenticate","hmac":"6203..259295e","emailPasswordForm":{"email":"..","password":null},"error":null,"relayState":"da91ecad9c3...b3bf4d205c6","nextButtonDisabled":false,"enableNextButtonAfterSeconds":0,"postAction":"login/authenticate","identifierUrl":"login/identifier"},
currentLocale: 'en',
csrf_parameterName: '_csrf',
csrf_token: '718b...1ad'
};

hmac, crsf and relaystate are also included here.
it is questionable whether it is enough if you pull the fields out of the new structure and include them in the next call.
I won't be able to check that until next week.

[andig]

It is. The same fields are still used, its just that VW builds the page dynamically now.

[LionelJeans]

I've adjusted that now. but get a 404 error despite the same fields.

[LionelJeans]

go now. email was still missing in the form_data

[titiviking]

So what fix did you apply to make it work again?

[LionelJeans]

The form_tag containing the hidden input elements for _crsf, relaystate and hmac has been removed.
These values can now be found in a <script> tag as window._IDK variable, see structure above.
You are now looking for the <script> with the window._IDK, load the variable content as json and get the values. Everything else still fits.

[titiviking]

What about a code change?
I was looking into audi_services.py, but the method seem to be shared across multiple other functions. Hence I guess the changes aren't as straigth forward as the last onces...

If you have updated version of audi_services.py, it would be much appreciated if you can share it and/or create a PR so everyone can benefit from the update)

[LionelJeans]

I use my own implementation, but the change to services.py should look like this:
replace:
form_inputs = html.find_all("input", attrs={"type": "hidden"})
for form_input in form_inputs:

with:
_parsedFormHtmlStr = str(parsedFormHtml)
searchStartTag = 'window._IDK'
window_IDK = parsedFormHtmlStr[(parsedFormHtmlStr.index(searchStartTag) + len(searchStartTag)):].lstrip(' ').lstrip('=').lstrip(' ')
searchEndTag = ';'
window_IDK = window_IDK[:window_IDK.index(searchEndTag) + len(searchEndTag)]
window_IDK = window_IDK.replace("\r", '').replace("\n", '').replace("'", '"').replace(' ', '').replace('{', '{"').replace(',', ',"').replace(':', '":').replace('"":', '":').replace(',""', ',"').replace('{""', '{"')
json_inputs = json.loads(window_IDK)
form_data["csrf"] = json_inputs["csrf_token"]
form_data["relayState"] = json_inputs["templateModel"]["relayState"]
form_data["hmac"] = json_inputs["templateModel"]["hmac"]
form_data["email"] = json_inputs["templateModel"]["emailPasswordForm"]["email"]
postAction = json_inputs["templateModel"]["postAction"]
form_clientId = json_inputs["templateModel"]["clientLegalEntityModel"]["clientId"]

[LionelJeans]

hi, it's been a year again and how could it be otherwise, Audi has once again changed something in its login logic.

Since 12 o'clock today I've been getting the error message no healthy upstream - 503 when loading the clientid via https://mbboauth-1d.prd.ece.vwg-connect.com/mbbcoauth/mobile/register/v1.

can anyone else understand this?

[LionelJeans]

I just see the bigger problem is https://app-api.live-my.audi.com/azs/v1/token -> Unknown endpoint - 404
the url seems to be no longer valid which means that the azs-token (token with scope "fal") can no longer be retrieved.
does anyone know the current url?

[t0bias-r]

Currently, I can see a http 503 on Andoird and myAudi 4.13.0:
Url: https://mbboauth-1d.prd.ece.vwg-connect.com/mbbcoauth/mobile/register/v1
{ "error": "HttpServerErrorException", "error_description": "503 SERVICE_UNAVAILABLE" }

Same on my PC when I try to access Audi with the Python implemenation.

[andig]

Login process of evcc.io works fine. I'm not registering an additional id though.

[LionelJeans]

Currently, I can see a http 503 on Andoird and myAudi 4.13.0: Url: https://mbboauth-1d.prd.ece.vwg-connect.com/mbbcoauth/mobile/register/v1 { "error": "HttpServerErrorException", "error_description": "503 SERVICE_UNAVAILABLE" }

Same on my PC when I try to access Audi with the Python implemenation.

yes, exactly. but the clientid url is not the problem. the azs token url is no longer accessible:
https://app-api.live-my.audi.com/azs/v1/token

the url retrieves the access_token with scope: fal

[t0bias-r]

The code I'm using connects to these URLs and then there is an issue. The URL you mentioned is used at all:

1. https://content.app.my.audi.com/service/mobileapp/configurations/markets
2. https://content.app.my.audi.com/service/mobileapp/configurations/market/DE/de?v=4.13.0
3. https://idkproxy-service.apps.emea.vwapps.io/v1/emea/openid-configuration
4. https://identity.vwgroup.io/oidc/v1/authorize
5. https://identity.vwgroup.io/signin-service/v1/09b6cbec-cd19-4589-82fd-363dfa8c24da@apps_vw-dilab_com/login/identifier
6. https://identity.vwgroup.io/signin-service/v1/09b6cbec-cd19-4589-82fd-363dfa8c24da@apps_vw-dilab_com/login/authenticate
7. https://identity.vwgroup.io/oidc/v1/oauth/sso?clientId=
8. https://identity.vwgroup.io/signin-service/v1/consent/users/
9. https://identity.vwgroup.io/oidc/v1/oauth/client/callback/success?user_id=
10. https://idkproxy-service.apps.emea.vwapps.io/v1/emea/token
11. https://aazsproxy-service.apps.emea.vwapps.io/token
12. https://mbboauth-1d.prd.ece.vwg-connect.com/mbbcoauth/mobile/register/v1

[andig]

Similar for evcc- using aazsproxy.

[LionelJeans]

I don't need the urls 1 and 2.

url 3 is the configuration.

I know 4 to 9.
url 4 is used for login with user/pass.
5 - 9 are called dynamically because they are determined from the server response.

the url 10 used to be https://app-api.my.audi.com/myaudiappidk/v1/token, I no longer need it.

url 12 is for retrieving the clientid.

I loaded the tokens from url 11 https://aazsproxy-service.apps.emea.vwapps.io/token.
it would be interesting which token you use for vehicle data retrieval? There is no token with scope: "fal" in it.

Or how the basic logic works for you?

[LionelJeans]

Ids by tObias-r url list...

I tested. It works until the sso url is retrieved via authenticate url (Id 6) with user/pass.
sso url result is:
https://identity.vwgroup.io/oidc/v1/oauth/client/callback/success?user_id=f3cbf49b-5e5b-4808-b5b0-d1ad176d50b0&client_id=09b6cbec-cd19-4589-82fd-363dfa8c24da@apps_vw-dilab_com&scopes=address%20profile%20badge%20birthdate%20birthplace%20nationalIdentifier%20nationality%20profession%20email%20vin%20phone%20nickname%20name%20picture%20mbb%20gallery%20openid&consentedScopes=address%20profile%20badge%20birthdate%20birthplace%20nationalIdentifier%20nationality%20profession%20email%20vin%20phone%20nickname%20name%20picture%20mbb%20gallery%20openid&relayState=932215163a4e1b28fea3e88e93ab6617a37985bb&hmac=5fd627dc2735bbc56433526587caa24564c7448916c5e4278a03889d19e13090

Then another call is started with the sso url (Id 7), which returns the consent url (Id 8).
And this call goes wrong and returns bad request (400).
Maybe the header and postdata were changed there again.

Do you have the header and post data that are given with the sso url (Id 7)?

The sso url result looks like the success callback url (Id 9) for the token retrieval.
What does your call for the callback url look like?

[t0bias-r]

Hi @LionelJeans
pls have a look here https://github.com/t0bias-r/audi_connect_ha and here https://github.com/arjenvrh/audi_connect_ha.
This integration is running fine with old config from Android app 4.9.2 and latest version 4.13.0.
You can use the test.py to debug and execute everything step-by-step. You could also add some printfs in request() function that is in audi_api.py to see the request and response data.

[LionelJeans]

OK thank you! I will look at it.

[t0bias-r]

Btw, I've created a PR that contains the latest secrets from app version 4.13.0.
Make sure you're using a valid secret.
PR: audiconnect/audi_connect_ha#163

[LionelJeans]

Ok great. Where can I find the homeassistant referenced in audi_account.py?

[LionelJeans]

Hello and Merry Christmas.
In the audi_services.py line 796 there is another bug when determining the revocation_endpoint. In the if test, revocation_endpoint must be in quotes. It is currently being checked whether the dict contains the url.

[LionelJeans]

Hello, now the audi_connect interface has an error in audi_services.py>login_request at the point "forward1 after pwd":
aiohttp.client_exceptions.InvalidURL: /signin-service/v1/09b6cbec-cd19-4589-82fd-363dfa8c24da@apps_vw-dilab_com/terms-and-conditions?relayState=b02cf1d591ed0857c7e972fb4f37013bb24c0e972fb4f37013bb24c0e972fb4f37013bb24c0e2d=updatedprivacyterms&updatedResidenceOfTrue&updatedResidenceofCountryOf...

in the response of the password hmac request, the host no longer seems to be returned.

[andig]

Are you sure it's not just updated ToS?

[LionelJeans]

For example, I am not seeing any new terms of use displayed in the myAudi app.
does the audi_connect login process work for you?

[LionelJeans]

where would the ToS be confirmed?

[LionelJeans]

ok, found it. Thanks.