Feature Request: Use Refresh Token #248
-
|
When authenticating via basic Authentication over OAuth2, the access token and refresh token are returned. Unfortunately I don't know anything about the BMW API. Is there a way to reengineer this? Edit: |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments
-
|
@rikroe is the specialist for the authentication. As we don't use an official API I don't think your method is possible though. |
Beta Was this translation helpful? Give feedback.
-
|
I've tried using a standardized OAuth library before, but unfortunately didn't succeed. I do get your point in regard to storing you username/password credentials. However from what I understand of refresh tokens (not a security engineer here) it would only add security by obscurity. We quickly got some other implications coming up such as what are we going to do when a token actually expires? How to get a new one? How to incorporate that on cli? If I've got some time I might explore some options and basic tests here, but would some additional support in the login topics would be welcome! |
Beta Was this translation helpful? Give feedback.
-
|
@rikroe That's a good point. Maybe I'll have a deeper look into that. |
Beta Was this translation helpful? Give feedback.
I've tried using a standardized OAuth library before, but unfortunately didn't succeed.
BMW has implemented some additional obscurity layers to its API, so it is not as easy as compared to e.g. the Github OAuth flow.
I do get your point in regard to storing you username/password credentials. However from what I understand of refresh tokens (not a security engineer here) it would only add security by obscurity.
Refresh tokens are long lived and might not even expire when you change your accounts password (depends what BMW has implemented). They need to be stored at the same security levels than username and password.
We quickly got some other implications coming up such as what are we goin…