scaarup
Unilogin phased out, options?
It seems that unilogin is phased out for parents from September 2025.
Are there any ways to have this (and other custom Aula integrations) working after that? Perhaps periodically manually scraping a token or cookies from the NemID-logged-in Aula page?
The cookies from nemid has a max lifetime shorter than a day which means you would need to log in every day to make it work. The authentication could be reworked to work with the kids local login, altough it will be a pain.
Maybe this could be a way of trying the mitid way out https://github.com/Hundter/MitID-BrowserClient
Maybe this could be a way of trying the mitid way out https://github.com/Hundter/MitID-BrowserClient
Yeah could be worth a try.
The Aula app must be getting a token/cookie that's longer lived, off a single NemID login. But the sequence of API calls made for that might be harder to trace, depending on how hard it is to convince the app to give up its HTTPS secrets ;-)
I have created a mitid -> aula proof of concept now, that works, but it looks like the token needs to be renewed far too often. i will tinker around with trying to reissue the token with the mitid credentials silently, but i haven't had that work yet.
A simple implementation of the login that just pulls the aula profiles can be found here. Sorry for the AI slop :) https://github.com/mchrdk/MitID-BrowserClient/blob/main/login_flows/aula.py
The longest i have had a token be valid is 16 hours, and i don't have any way of renewing it without forcing a mitid approval flow.
The only way i can see this working is with the kids login.
One option would be to make it possible to add multiple instances of the integration, one for each child.
true, one of my kids are in kindergarden, they dont have access to the account, and the other one keeps changing the password :(
Any update on this - or wil the extension only work with kids login going forward?
I have another way of logging in I'm working on, but it is quite involved development wise. My plan is to give out more information on a months time or so.
if it is any help I managed to login to https://mitunilogin.stil.dk/ with my MitID and reset my kid's (kindergarden) password. After this I got to a point where the new password is defined as a pin. The pin is defined by symbols (like house, cop and more). From this I am able to find a actual pincode that is being sent as a http POST to the server. I tried to pus this into the HA integration but it did not work. URL was: https://idp.unilogin.dk/auth/realms/idp/login-actions/authenticate?session_code=x&execution=2ad4e05b-4fcb-4a26-8256-9d57a7f68f64&client_id=https%3A%2F%2Fbroker.unilogin.dk%2Fauth%2Frealms%2Fbroker&tab_id=DW0XsJuueeI
Does any of you know if this is because this pin login feature is new not implemented yet?
If this login type work it would solve my issue by getting the came/leave feature.
if it is any help I managed to login to https://mitunilogin.stil.dk/ with my MitID and reset my kid's (kindergarden) password. After this I got to a point where the new password is defined as a pin. The pin is defined by symbols (like house, cop and more). From this I am able to find a actual pincode that is being sent as a http POST to the server. I tried to pus this into the HA integration but it did not work. URL was: https://idp.unilogin.dk/auth/realms/idp/login-actions/authenticate?session_code=x&execution=2ad4e05b-4fcb-4a26-8256-9d57a7f68f64&client_id=https%3A%2F%2Fbroker.unilogin.dk%2Fauth%2Frealms%2Fbroker&tab_id=DW0XsJuueeI
Does any of you know if this is because this pin login feature is new not implemented yet?
If this login type work it would solve my issue by getting the came/leave feature.
never mind found out this feature does not give any information on the page (at least), so it might not have access to the informaiton about came/leave :(
I have another way of logging in I'm working on, but it is quite involved development wise. My plan is to give out more information on a months time or so.
Sounds interesting 👍 Any hints? I assume it is based on MitID somehow?
Yes, I have found other endpoints that takes in refresh tokens on the aula side, looks like we can use it to log in with mitid once and then request short term access tokens based on a long term refresh token. The endpoint is not used in the current web implementation for the website, but it works. my idea is to create an entirely separate python module that should offload all the login and just return a token and a function to update it.
ave found other endpoints that takes in refresh tokens on the aula side, looks like we can use it to log in with mitid once and then request short term access tokens based on a long term refresh token.
this seems like the right way to go with MitID. It is using a normal oauth pattern with the tokens, so the only thing we need to do is just use the refresh token somehow. I am not (currently) good at Python, so I cannot help, but I can help with reading the request and reponse packages :)
Yes, I have found other endpoints that takes in refresh tokens on the aula side, looks like we can use it to log in with mitid once and then request short term access tokens based on a long term refresh token. The endpoint is not used in the current web implementation for the website, but it works. my idea is to create an entirely separate python module that should offload all the login and just return a token and a function to update it.
Sounds awesome!
ave found other endpoints that takes in refresh tokens on the aula side, looks like we can use it to log in with mitid once and then request short term access tokens based on a long term refresh token.
this seems like the right way to go with MitID. It is using a normal oauth pattern with the tokens, so the only thing we need to do is just use the refresh token somehow. I am not (currently) good at Python, so I cannot help, but I can help with reading the request and reponse packages :)
@scaarup what's the next step? I finally have kids in folkeskole, and well, this sound just what we need at home haha.
ave found other endpoints that takes in refresh tokens on the aula side, looks like we can use it to log in with mitid once and then request short term access tokens based on a long term refresh token.
this seems like the right way to go with MitID. It is using a normal oauth pattern with the tokens, so the only thing we need to do is just use the refresh token somehow. I am not (currently) good at Python, so I cannot help, but I can help with reading the request and reponse packages :)
@scaarup what's the next step? I finally have kids in folkeskole, and well, this sound just what we need at home haha.
we are waiting to see what @mchrdk comes up with.
I have a working python module that can issue tokens now, but the way the endpoint needs to be called are different when using that way of authenticating. The module is pretty crude and bloated right now, and not ready for production.
Since this HA integration has a lot of traction, i don't feel its the best way forward just for me to just hack a solution together, and i would rather like to rewrite the script to be more robust.
If anyone wants to help out with integrating the new tokens into the HA integration, reach out and i will share the code with you, otherwise i will share it publicly in a couple of weeks when i have rewritten it to be less sloppy vibecode with proper error handling and documentation.
I'm not a native python developer, but I do have some time here and there, so feel free to send me some code you'd like to have reviewed and/or tested.
I have a working python module that can issue tokens now, but the way the endpoint needs to be called are different when using that way of authenticating. The module is pretty crude and bloated right now, and not ready for production.
Since this HA integration has a lot of traction, i don't feel its the best way forward just for me to just hack a solution together, and i would rather like to rewrite the script to be more robust.
If anyone wants to help out with integrating the new tokens into the HA integration, reach out and i will share the code with you, otherwise i will share it publicly in a couple of weeks when i have rewritten it to be less sloppy vibecode with proper error handling and documentation.
Sounds great! Please go ahead and share with me 👍
I have a working python module that can issue tokens now, but the way the endpoint needs to be called are different when using that way of authenticating. The module is pretty crude and bloated right now, and not ready for production.
Since this HA integration has a lot of traction, i don't feel its the best way forward just for me to just hack a solution together, and i would rather like to rewrite the script to be more robust.
If anyone wants to help out with integrating the new tokens into the HA integration, reach out and i will share the code with you, otherwise i will share it publicly in a couple of weeks when i have rewritten it to be less sloppy vibecode with proper error handling and documentation.
Share with me as well, i'll glady help.
@mchrdk i'm close to have a version working in a fork of this repo, with your reverse engineered MitID login code.. I'll push it tomorrow, but i managed to
- Integrate mitid login into this project, so when you install the Aula integration, it prompts you for your mitid "username" and will prompt your app and display a QR code that enables you to login through the app that then stores a refresh-token that used onwards or until it expires and can't be refreshed..
- Shown that data from my kids can be fetched into this HA plugin by using the auth metod..
I don't think it is stable at all, but it proved to be working now.
fyi @scaarup
@mchrdk i'm close to have a version working in a fork of this repo, with your reverse engineered MitID login code.. I'll push it tomorrow, but i managed to
- Integrate mitid login into this project, so when you install the Aula integration, it prompts you for your mitid "username" and will prompt your app and display a QR code that enables you to login through the app that then stores a refresh-token that used onwards or until it expires and can't be refreshed..
- Shown that data from my kids can be fetched into this HA plugin by using the auth metod..
I don't think it is stable at all, but it proved to be working now.
fyi @scaarup
That sounds awesome - great work! I'm looking forward to trying it out.
@Gudui sounds good, have you seen the re-implementation of the mitid code in the other branch? that code is a bit higher quality than my initial code
@mchrdk unfortunately no :( - I thought i checked for other branches, but must have missed it. I'll upload what i have, then you can assess for yourself, it's obviously still WIP
I have uploaded to my fork now, @mchrdk - we'll have to assess whether we should integrate your reimplementation (among other things)
https://github.com/Gudui/aula