FlickElectricApi
FlickElectricApi copied to clipboard
madleech
client secret - How did you discover this?
Hello,
The Client Secret, how did you get this exactly?
- client_id:
le37iwi3qctbduh39fvnpevt1m2uuvz - client_secret:
ignwy9ztnst3azswww66y9vd9zt6qnt
I can see the Client ID in the packet sniffing, but I cannot find client secret anywhere.
My client ID was different from yours, so I don't know what the matching Client Secret is for mine.
I just used your ID and Secret and it seems to work, but what exactly are those 2 codes for exactly, and should I be using yours or finding my own?
Can you explain how to find the Client Secret?
I have tried talking to the server without them, but it asks for the Secret. I have noticed the Android App uses a few other parameters instead, and has some sort of redirect URL too, which is another parameter.
Any help would be appreciated.
I can't remember exactly, but I believe they are issued the very first time your app talks to Flick's servers. If you wipe the data/cache for your Flick app, then start mitmproxy or other packet sniffer and sign back in to the app, you should get the data you need. Not using Flick any more so can't test locally sorry.
hmm. By 'app' are you referring to the Android Flick Electric app? Because your application in this repo already has them hardcoded, so I am unsure how you go about requesting the token without them in the first place. I will try with Android again and clear all the cache and data etc for it, and see if I can get it to output the secret, but I have never seen the secret displayed, which is why I am struggling to understand how you got it in the first place. Cheers
I cleared cache and data and did it again.
POST /identity/oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 331
User-Agent: Dalvik/2.1.0 (Linux; U; Android 7.0; SM-G928I Build/NRD90M)
Host: api.flick.energy
Connection: Keep-Alive
Accept-Encoding: gzip
Then the following
code_verifier=szI4da3TaaRM0hqE1pjnlw11hwCrvBG0EApQOOaVF-bW6zdc3wGbO53584SVOVbFMk8UVEr3Gvl1LPQ4z11AZg&client_id=igex5x0k6z2xtki8xdyykta22adg0mr&redirect_uri=flickapp%3A%2F%2Fnz.co.flickelectric.androidapp&code=9yvHZVIsVCn1dKLthIEjhNjopv0aNBmJyZmLevVpSNiYw5KvQR7Hqpo9xt-YVppU12Ce7TWv1dxGTjgkCpQ8AA%3D%3D&grant_type=authorization_codeHTTP/1.1 200 OK
Date: Tue, 03 Jul 2018 01:00:54 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: AWSALB=KU/n/EwsdntRY352ImeXoMkpDhBckMG2UiBAdBXWXojIHGcVgDd4pAfztG72q/WMY9LcuiORAXS2uayFxjl1RZTstoTX3oMMG+3qFNEGZaWYSphHpOCfZAct4HU0; Expires=Tue, 10 Jul 2018 01:00:54 GMT; Path=/
Server: nginx/1.4.6 (Ubuntu)
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Request-Id: 0A0001C8886C_0A0003EC0050_5B3ACAC6_55538360FE8
X-Amzn-Trace-Id: Root=1-5b3acac6-e048e5e4744e824a287326d2
X-Service: identity
ETag: W/"6ca600f3acbf764d1d461a3001d908e9"
Cache-Control: max-age=0, private, must-revalidate
X-Runtime: 0.056019
Vary: Origin
Strict-Transport-Security: max-age=15811200;
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: OPTIONS, HEAD, GET, POST, PUT, PATCH, DELETE
Access-Control-Allow-Headers: Accept, Accept-Charset, Accept-Encoding, Authorization, Content-Length, Content-MD5, Content-Type, Host, If-Modified-Since, Origin, User-Agent
Access-Control-Max-Age: 60
Access-Control-Expose-Headers: Content-Disposition, Content-Encoding, Content-Length, Content-Location, Content-Range, Date, ETag, Location, Strict-Transport-Security, Transfer-Encoding
Then the token etc comes in
285
{"access_token":"2zisw0l1uqqzbdw14f69ezj6kfrv3p7","expires_in":5184000,"id_token":"eyJhbGciOiJSUzUxMiJ9.eyJpc3MiOiJodHRwczovL2lkLmZsaWNrLmVuZXJneSIsInN1YiI6IjRhNDU0MTUxLTc5Y2QtNDgxYi05Mjk3LWUzZjdkMzM0MWNjMSIsImF1ZCI6MjAsImV4cCI6MTUzNTI2MTQzMiwiYW1yIjpbXSwiaWF0IjoxNTI5OTkxMDMyfQ.ecGydBAI6LGBId3ASg12B128RyCM6zZ77gGpnU6LacMw1CHGUD0plswyUGsjNBXOIc3300eK1K1wNIQi-N1hKBC7clVWoeYsYZK8JRNszvhKvIdQPdA6o-fqD2B6NK7TM5He0GoMkqspgEY3qiVGz7TMzpAUIkJlcAsfhFRdt3xUh7FB3N648Xa18n9Zresd8ZJDd_En4_yq93YTXm-71GDGKckuJjXxApmxm2q2l7afseHMOh4M8WKvqwLmGOW-Nl2-8j8cihNZfv1WJOMPdQSuSepyIzC6K0qaC6N3QEo6vXT7ewQpwT276vkNSrF57FyBRG8_1XbaN16T36fzHA","token_type":"bearer"}
0
So I can see the client_id come in the 2nd lot of data:
client_id=igex5x0k6z2xtki8xdyykta22adg0mr
But no where can I see the client_secret. Is this what it was actually called, or what you just named it?
I can see an 'access_token' as part of the reply with the id_token data, which is of the right length, however is that it? You dont elude to that being it in your write up.
access_token":"2zisw0l1uqqzbdw14f69ezj6kfrv3p7"
I know you are not using it anymore, which makes this hard, but if you can help in any way that would be appreciated. I am using your client_id and client_secret you posted, and that is working fine, but the question I have is why is it working fine, and how did you get them, because I just cant see what you got.
I tried using them, and it said I need to send the code_verifier key. So I did that, then it said you cant send the client_secret from the native app. So I removed the client_secret, and it then came back with an error saying something went wrong and if I am the developer then to check the logs.
So it seems the Flick App does things differently now. So what did you use exactly to sniff to get this information?
OK - figured it out. Installed the oldest version I could find, from Feb 2016, from here: https://apkpure.com/flick-electric-co/nz.co.flickelectric.androidapp
Packet sniffed that as I logged in, and it sends the client_id and client_secret.
FYI in case anyone is wondering.
Flick has told me that this is legacy now, so unsure if they will cut support for it, or if it will just continue working.
Turns out, they are the same as what @madleech provided anyway. Seems its non specific to the user.