Published Volvo developer application #91
Comments
|
After reading your auth code, I'm really struggling to get my head around how you do the authentication... According to the docs (https://developer.volvocars.com/apis/docs/authorisation/) there are only two ways, the crappy test tokens that are valid for 30 minutes, or a "real" published application (which seems to be impossible in the reality), but it looks to me you're doing a third undocumented method. Any chance you could explain your authentication flow? |
|
Hello @DanielMalmgren I'll take the freedom to respond to your question. First, I'm not using this Volvo integration, nor do I use Home Assistant. I do use my own Node-RED application and push the values to Domoticz. This seems because of some "legal" issues. Obviously a "private person" is not considered by Volvo as a "legal entity". You suggested:
Yes, you are right, all developers for all Home Automation's do use the same undocumented authorization method. Something you should know, is that the scopes are related to the authorization. More details, I cannot give you. Sorry for that. Regards |
|
Thanks for the explanation! I suspected the case was something like this. Can't really understand why Volvo publicly publishes information about API's that can't be used in practice without doing unsupported behind-the-scenes stuff. Or why they have a form for publishing applications that they then simply ignore. Or a contact mail that they also completely ignore. I mean, what I'm trying to do is simply communicate with my own car that I bought for my own money. What a farce... I am using OpenHAB, don't really want to install HA just to talk to my car, so I guess I'll try to find any project that haven't obfuscated things as well as this (which I totally understand why it's done). I guess though that this is something that can be broken at any time when someone at Volvo so decides... (btw, I DO have my own little registered company. I wonder if it would make difference if I registered a developer account affiliated with the company instead of with me as a private person?) |
|
Like you experienced, there is a deafening silence when you try to contact Volvo or try to publish your application. On top of that, they indeed expect some kind of legal entity, terms & conditions, etc before even considering publishing your application. For open source projects like this, that is simply not possible. Basically what @FireWizard52 also explained. This project uses the undocumented authorization flow, which uses 2FA. You'll get a code via email to confirm your login action. The main reason I obfuscated parts of this is because my initial repository got shutdown by GitHub for having the authorization header value in the source code. So I host that value somewhere else and made sure to obfuscate the value in the hopes that it won't be detected by automated systems. You can find all code to de-obfuscate the values in this repo. It is no secret. Or you can search GitHub with specific keywords to find how others have done it (without obfuscated values). If Volvo pulls the authorization token, then it's over. Simple as that. You can try with your company, but know that you also need to have T&C and also need to explain why you need it. I hope you succeed! And maybe you can then share the authorization token so we have access to more endpoints. 🙏 Because new endpoints are not added to the current authorization token (like @FireWizard52 said). The reasoning of why Volvo makes it public, but then also not really, is beyond my knowledge. |
Hi @DanielMalmgren https://developer.volvocars.com/news/dynamic-app-publish/ Maybe that could help? Have you tested that process? I dont have the knowledge myself but maybe the community can figure it out :) /F |
|
Hello @DanielMalmgren You wrote:
In this case, I suggest you contact Nika Gerson Lohman on the OpenHAB forum. The fact, that Github blocks repositories is the main reason, that I did not publish my Node-RED flows yet. I was not aware that Volvo has finally announced a more elegant way of publishing an application. I looked to it for some minutes and I could not discover new and interesting things. Perhaps you will receive a clientId and clientSecret immediately, but I also saw that the commands from your application to the car, still require manual approval. New applications require also PKCE and I have not implemented that yet. So that is also a challenge. I think it is a good idea, that the community joins regarding this. The advantages are obvious:
For more contact, you may contact me on the Domoticz forum (FireWizard) or the Node-RED forum (FireWizard52) Regards |
|
Yep, I've already connected with @nikagl, and with the help of his excellent code I have now got my OpenHAB connected to my Volvo. The only thing I personally really miss now is a way to start/stop charging, but since there doesn't seem to be any endpoint for that I guess I'll have to keep waiting. I had completely missed the new way of publishing, maybe that's the reason why they actually haven't reviewed any publications, they've simply been waiting for this instead? Some kind of communication would have been nice though. Haven't got time looking at it yet, but if @FireWizard52 is correct in his findings it sounds like kinda a step forward and then a step back again... I agree that we (hobby Volvo developers) need to join our forces, independent of our different HA platforms. If only to keep up with Volvo's API changes that they seem to silently sneak in to the documentation... Currently it feels we kidnapped @thomasddn's issue tracker for the purpose 😁 |
|
Thank you everyone for your contributions regarding this topic! I don't mind to discuss it here. 😉 In fact, it would be nice if we could unite all (open source hobby project) developers facing this issue and get in direct contact with Volvo to discuss what the best way of working would be. I've tried to publish a new API application on the Volvo Developer Portal and it was immediately published. However, there are still a few downsides:
The authentication flow that the integration is currently using, where it all happens in the background except for the OTP, cannot be used anymore. It must work like any other oauth system, i.e. you get redirected to the Volvo login page where you need to enter your credentials. This is a industry standard, but it means I need to find out how Home Assistant handles this. The upside could be that users won't need to create a developer account anymore. But that would mean that I need to share my client ID, client secret and API key with everyone (including people copying from this project). I'm not sure if this is the way to go. I would like to know Volvo's opinion on this. |
|
Hello @thomasddn, It is a nice suggestion to host this discussion, but we do not want to pollute your issue tracker. Nice that you tested it and that the project was immediately published. How did you handle the PKCE requirement? From the Volvo Developer site:
Or did you already implemented that?
That means also, if an additional endpoint is made available by Volvo or an extra scope is added, we have to request a new publication. I agree, that what we gain with the new extra endpoints, we loose at the other end, as probably we will not get the scopes for the commands approved. |
Hi.
This isn't an issue, but a question, hope that's ok. I'm wondering, the fact that users of this integration need to create their own developer account, is that because you haven't succeeded getting your own application published? The reason I'm asking is because I did an application in the developers portal and tried to get it published. According to the info when publishing the review should take about three weeks but now five months has passed and it's still "Publication under review". And the contact email on the site ([email protected]) is a black hole, no mail to it ever get answered.
The text was updated successfully, but these errors were encountered: