Auth API is no longer providing a refresh token
Closed this issue · 19 comments
Per home-assistant/core#90870, the auth API is returning an access token, but not a refresh token; payloads look like this:
{
"access_token": "REDACTED",
"id_token": "REDACTED",
"scope": "openid email https://api.simplisafe.com/scopes/user:platform offline_access",
"expires_in": 3600,
"token_type": "Bearer"
}I can confirm that the provided access token works (i.e., API calls with that token are successful).
Looks like it's the web app (whose basic structure we follow) that's been changed. It no longer provides a refresh token:
{
"access_token": "REDACTED",
"id_token": "REDACTED",
"scope": "openid profile email https://api.simplisafe.com/scopes/user:platform",
"expires_in": 3600,
"token_type": "Bearer"
}...while the mobile app does:
{
"access_token": "REDACTED",
"refresh_token": "REDACTED",
"id_token": "REDACTED",
"scope": "openid email https://api.simplisafe.com/scopes/user:platform offline_access",
"expires_in": 3600,
"token_type": "Bearer"
}(This makes sense: the concept of a refresh token on a web app seems a bit silly.)
So, we need to figure out how to emulate the mobile app instead of the web app.
Thus far, I've noticed that the auth URL has several new parameters—from what I can tell, we now need to provide:
device(in my testing, the value wasiPhone)device_id(in my testing, this was my device UUID; I'm guessing any UUID would work as long as it's consistent)
It also appears that the auth0Client JWT is different from what we had before: eyJ2ZXJzaW9uIjoiMi4zLjIiLCJuYW1lIjoiQXV0aDAuc3dpZnQiLCJlbnYiOnsic3dpZnQiOiI1LngiLCJpT1MiOiIxNi4zIn19
When I add device and device_id to the URL + change the auth0Client JWT, I do get a response with a refresh token. However, when I use that refresh token, the response doesn't contain a new refresh token:
{
"access_token": "REDACTED",
"id_token": "REDACTED",
"scope": "openid email https://api.simplisafe.com/scopes/user:platform offline_access",
"expires_in": 3600,
"token_type": "Bearer"
}I'm going to wait until the access token expires, then see if this same refresh token still works.
I think they may have reverted the change? Suddenly working again. But yea, feels like it'll come back
(at least my plug-in but TBH Im not positive we do things exactly the same)
I think they may have reverted the change? Suddenly working again. But yea, feels like it'll come back
(at least my plug-in but TBH Im not positive we do things exactly the same)
@shamoon I'm unfortunately still seeing the same thing: the refresh token doesn't appear in the auth response payload without the changes described above. Are you using a refresh token, or does your plugin get a fresh auth token every time?
Ah darn, no youre right. Sorry I don't have a ton of bandwidth right this second, will try to circle back to it
After letting things sit for an hour, I used the existing refresh token, which worked—great, but unfortunately, we have no clue how long-lived that token is. The Auth0 documentation that explains the token_lifetime parameter isn't super encouraging:
The default refresh token expiration period, when Refresh Token Rotation is enabled, is 30 days (2,592,000 seconds). You can configure up to 1 year (31,557,600 seconds). The lifetime does not extend when tokens are rotated.
Unless we can figure out how to automatically get new refresh tokens, apps will need to go through the entire sign-in process every so often (30 days? 1 year?).
30 days (or more) is better than not at all 😵 I cant find anywhere online that says a definitive answer, my gut tells me the app token lasts longer than 30 days but obviously not sure.
Appreciate you digging into this.
Bummer!!!!!!!!!
I haven't had to login on my app in way more than 30 days. My assumption is that if we emulate the mobile app that we should get similar results?
@MickLC There's no way to know with certainty—SimpliSafe's API is unpublished, and they've refused to inform us of any details.
At any rate, after lots of hunting, I haven't found any other way to get a new refresh token when using the old one, so we may have to proceed with what we have.
Just noticed in the mobile app the following has been added to MFA screen:
Checkbox : remember this device for 30 days
Im not the best with this. What is the solution to try to fix it? If there is one. Thanks again for making this integration.
Sorry I am also not great with this - is the fix released as a version update that can be installed through HA?
I added this fix to Home Assistant in home-assistant/core#90896; it should be released as part of their 2023.4.1 release: home-assistant/core#90956
I filed a complaint with the Better Business Bureau, and at least got a response that they are looking into opening the API, but didn't get and answer on of they would do it. I would say the hundreds of users that are using the integration it is at least a place to start to push them in the right direction.
Is there a way to update the integration prior to 2023.4.1 release?
Is there a way to update the integration prior to 2023.4.1 release?
Manually changing the the lines in the api.py and auth.py which are listed in the pull request fixed this issue for me. Currently running 2023.4.0
I added this fix to Home Assistant in home-assistant/core#90896; it should be released as part of their 2023.4.1 release: home-assistant/core#90956
Awesome work! implementing the changes documented in the pull request fixed it.