[PHP] OAuth with MFA (+ Captcha Code) [Rewrite]

[keymakerfd]

UPDATE 30.04.2022:
Hi together,
i'm sorry, i was for many days off.
Yeah @benderl u are right, the last step is not longer needed.
I have now updated the script. Please try the new one.

Thank you
Best
Key

UPDATE 12.09.2021:
Hello all,
as you already know, Tesla has added a recaptcha to their login procedure. With this, unfortunately, automatic logins are no longer possible.
I have adapted the script, unfortunately it is not as user-friendly as before, but it is still possible to get the tokens and send commands to the Tesla vehicle.

I also solved the refresh problem. Now you can use the Bearer Refresh Token to renew the tokens again without problems (i hope 😂).

Please use the new example code from me from now on.

Please inform me if there are further problems or if something is not understandable.

Thank you
Best
Key

UPDATE 06.06.2021:
The Script is now updated with the solution from vercorsio (curl sslversion) and a bugfix from shaven ($cookie -> $cookies).
It's working now with Debian Buster (tested from my side). I'm very appreciate, thanks for your help! :-)
Info: Tesla has removed the Captcha-Code, i let it implemented for the future.

UPDATE 31.05.2021: (#362 (comment))
Please check my updated Script, this is working WITH the Captcha Request.
For testings, please create a directory "tmp" with write access for save the cookies.

PHP-Example-Script (12.09.2021):

<?php

$tesla_api_oauth2 = 'https://auth.tesla.com/oauth2/v3';
$tesla_api_redirect = 'https://auth.tesla.com/void/callback';
$tesla_api_owners = 'https://owner-api.teslamotors.com/oauth/token';
$tesla_api_code_vlc = 86;
$cid = "81527cff06843c8634fdc09e8ac0abefb46ac849f38fe1e431c2ef2106796384";
$cs = "c7257eb71a564034f9419ee651c7d0e5f7aa6bfbd18bafb5c5c033b093bb2fa3"; 
$user_agent = "Mozilla/5.0 (iPhone; CPU iPhone OS 14_7_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148";
$cookie_file = __DIR__."/tmp/cookies.txt";

function tesla_connect($url, $returntransfer=1, $referer="", $http_header="", $post="", $need_header=0, $cookies="", $timeout = 10)
{
    global $cookie_file;

    if(!empty($post)) { $cpost = 1; } else { $cpost = 0; }
    if(is_array($http_header)) { $chheader = 1; } else { $chheader = 0; }

    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, $returntransfer);
    curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);
    curl_setopt($ch, CURLOPT_HEADER, $need_header);
    curl_setopt($ch, CURLOPT_POST, $cpost);
    curl_setopt($ch, CURLOPT_FRESH_CONNECT, 0);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 1);
    curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file);
    curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file);
    curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_MAX_TLSv1_2);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

    if(!empty($referer)) { curl_setopt($ch, CURLOPT_REFERER, $referer); }

    if($chheader == 1) { curl_setopt($ch, CURLOPT_HTTPHEADER, $http_header); }

    if($cpost == 1) { curl_setopt($ch, CURLOPT_POSTFIELDS, $post); }
    
    if(!empty($cookies)) { curl_setopt($ch, CURLOPT_COOKIE, $cookies); }

    $response = curl_exec($ch);
    $header = curl_getinfo($ch);
    curl_close($ch);

    return array("response" => $response, "header" => $header);

}


function gen_challenge()
{
    global $tesla_api_code_vlc;

    $code_verifier = substr(hash('sha512', mt_rand()), 0, $tesla_api_code_vlc);
    $code_challenge = rtrim(strtr(base64_encode($code_verifier), '+/', '-_'), '='); 
    
    $state = rtrim(strtr(base64_encode(substr(hash('sha256', mt_rand()), 0, 12)), '+/', '-_'), '='); 

    return array("code_verifier" => $code_verifier, "code_challenge" => $code_challenge, "state" => $state);
}


function gen_url($code_challenge, $state)
{
    global $tesla_api_oauth2, $tesla_api_redirect;


    $datas = array(
          'audience' => '',
          'client_id' => 'ownerapi',
          'code_challenge' => $code_challenge,
          'code_challenge_method' => 'S256',
          'locale' => 'en-US',
          'prompt' => 'login',
          'redirect_uri' => $tesla_api_redirect,
          'response_type' => 'code',
          'scope' => 'openid email offline_access',
          'state' => $state
    );

    return $tesla_api_oauth2."/authorize?".http_build_query($datas);
}


function return_msg($code, $msg)
{
    return json_encode(array("success" => $code, "message" => $msg));
}


function login($weburl, $code_verifier, $code_challenge, $state)
{
    global $tesla_api_redirect, $user_agent, $tesla_api_oauth2, $cid, $cs, $tesla_api_owners;

    
    $code = explode('https://auth.tesla.com/void/callback?code=', $weburl);
    $code = explode("&", $code[1])[0];


    if(empty($code)) { return return_msg(0, "Something is wrong ... Code not exists"); }

    // Get the Bearer token
    $http_header = array('Content-Type: application/json', 'Accept: application/json', 'User-Agent: '.$user_agent);
    $post = json_encode(array("grant_type" => "authorization_code", "client_id" => "ownerapi", "code" => $code, "code_verifier" => $code_verifier, "redirect_uri" => $tesla_api_redirect));
    $response = tesla_connect($tesla_api_oauth2."/token", 1, "", $http_header, $post, 0);

    $token_res = json_decode($response["response"], true);
    $bearer_token = $token_res["access_token"];
    $refresh_token = $token_res["refresh_token"];

    if(empty($bearer_token)) { return return_msg(0, "Bearer Token issue"); }

    $tokens["bearer_token"] = $bearer_token;
    $tokens["bearer_refresh_token"] = $refresh_token;
    $return_message = json_encode($tokens);

    // Output
    return return_msg(1, $return_message);
}


function tesla_oauth2_refresh_token($bearer_refresh_token)
{
    global $tesla_api_oauth2, $tesla_api_redirect, $tesla_api_owners, $tesla_api_code_vlc, $cid, $cs;


    $brt = $bearer_refresh_token;

    // Get the Bearer token
    $http_header = array('Content-Type: application/json', 'Accept: application/json');
    $post = json_encode(array("grant_type" => "refresh_token", "client_id" => "ownerapi", "refresh_token" => $brt, "scope" => "openid email offline_access"));
    $response = tesla_connect($tesla_api_oauth2."/token", 1, "https://auth.tesla.com/", $http_header, $post, 0);


    $token_res = json_decode($response["response"], true);
    $bearer_token = $token_res["access_token"];
    $refresh_token = $token_res["refresh_token"];


    if(empty($bearer_token)) { return return_msg(0, "Bearer Refresh Token is not valid"); }

    $tokens["bearer_token"] = $bearer_token;
    $tokens["bearer_refresh_token"] = $refresh_token;
    $return_message = json_encode($tokens);

    // Output
    return return_msg(1, $return_message);

}



if($_POST["go"] == "login")
{
    echo login($_POST["weburl"], $_POST["code_verifier"], $_POST["code_challenge"], $_POST["state"]);
} else if ($_POST["go"] == "refresh")
{
    echo tesla_oauth2_refresh_token($_POST["token"]);
} else {

$challenge = gen_challenge();
$code_verifier = $challenge["code_verifier"];
$code_challenge = $challenge["code_challenge"];
$state = $challenge["state"];
$timestamp = time();

?>
<h3>First Login</h3>
<form method="post">
<input type="hidden" name="go" value="login">
<input type="hidden" name="code_verifier" value="<?php echo $code_verifier; ?>">
<input type="hidden" name="code_challenge" value="<?php echo $code_challenge; ?>">
<input type="hidden" name="state" value="<?php echo $state; ?>">
Unfortunately Tesla has installed a recaptcha, so the automatic login is no longer possible.<br>
Please read the individual steps well:<br><br>

Step 1: Please <strong><a href="#<?php echo $timestamp; ?>" onclick="teslaLogin();return false();">click here</a></strong> to log in to Tesla (A popup window will open, please allow popups).<br>
Step 2: Please enter your Tesla login data on the Tesla website.<br>
Step 3: If the login was successful, you will receive a <strong>Page not found</strong> information on the Tesla website. Copy the complete web address ( e.g. <strong><?php echo $tesla_api_redirect; ?>?code=.....&state=...&issuer=....</strong> )<br>
Step 4: Paste the copied web address here and press the <strong>Login</strong>-Button:<br>
<input type="text" name="weburl" size="100" required><input type="submit" value="Login"></form>

<hr>
<h3>Refresh Token</h3>
<form method="post">
<input type="hidden" name="go" value="refresh">
Please enter the Bearer Refresh-Token:<br>
<input name="token" size="100" required><input type="submit" value="Refresh">
</form>
<script>
function teslaLogin () {
    teslaLogin = window.open("<?php echo gen_url($code_challenge, $state);?>", "TeslaLogin", "width=600,height=400,status=yes,scrollbars=yes,resizable=yes");
    teslaLogin.focus();
}
</script>

<?php
}
?>

[ralfonso4]

PERFECT!
Your solution works for me (didnt test the refresh till now...)

As i sayed i am working on a WP-Plugin. Adapting your solution into my Plugin didnt work. I had to put your file outside of the WP-Environment -> then it works

THX a lot

Ralf

[keymakerfd]

Hi Ralf,

thank you for your feedback :-)
Unfortunately i don't know how WP-Plugins are working.
But it sounds good, that the script is working :-)
I testing from my side the refresh section, but in real environment and that can take the time. I don't want to force something with many trys.

Best
Key

[TuffyMouse]

Hi,
i got this as result:

HTTP/2 302 content-type: text/plain; charset=utf-8 content-length: 197 x-dns-prefetch-control: off x-frame-options: DENY strict-transport-security: max-age=15552000; includeSubDomains x-download-options: noopen x-content-type-options: nosniff x-xss-protection: 1; mode=block x-request-id: 1a0fc263-4534-4399-9dfa-a93de09257fe x-correlation-id: 1a0fc263-4534-4399-9dfa-a93de09257fe content-security-policy: connect-src 'self'; default-src 'none'; font-src 'self' data: fonts.gstatic.com; frame-src 'self' www.google.com www.recaptcha.net; img-src 'self' data:; script-src www.recaptcha.net 'self' 'nonce-4e8c8ceb96fbf3ff9412'; style-src 'unsafe-inline' 'self' location: https://auth.tesla.com/void/callback?code=443823f30e6c3de67e2234f43a2ace4491929bc394c84e8611970811a85d&state=NDY0NjgyMGY2ZTk4&issuer=https%3A%2F%2Fauth.tesla.com%2Foauth2%2Fv3 x-response-time: 94.581ms x-edgeconnect-midmile-rtt: 1 x-edgeconnect-origin-mex-latency: 242 originip: 209.133.79.56 date: Sun, 16 May 2021 06:16:15 GMT set-cookie: tesla-auth.sid=s%3AqjmT8oGuXfOtxnbEqe5x0NW_BQx4jaRr.sCvqIk55jgHI37AmPIwjzK0gEwqxtxY4eReosYWnYIo; Path=/; Expires=Wed, 19 May 2021 06:16:15 GMT; HttpOnly; Secure; SameSite=Lax origin_hostname: auth.tesla.com set-cookie: _abck=A48CB020DE3F9E851EE0BDC00B723E18~-1YAAQvF4OF//f/2F5AQAA7m3RcwWud7l6LO2SFJdmFHwTarr4tWqtn+G5BN5+qzRqsTu0pb8pInkMmbUVbzSGs1jWwRmf0jEJygHDSRC0BFD0f6pDGpMPR12YEph7mEzHRmmp1cTmJdAK34+rsUuGV1/6B4DdgJmv/0RQ/n3LFvI3H9GOyIA/rANDdtWtzB4vxD9NxSYnhm9acQp5CHFAm9ApvXxfYMZffwDtaVt57CkBaT/QCxKv6uZHZd2gLVE/1AOfGDNpfVIzS1iSSOKFirC/x5ZXFh9xDXRXP8y1DBgcnKlQXx5zp8s4tph+PiQUIfih7OinAfd62cG5o1IpQnNppfh/EgMVHPOxl707Ejob3V9txqZQwzJ7C3Eljwv/kcAG8Qu7R1/6pA==-1~-1~-1; Domain=.tesla.com; Path=/; Expires=Mon, 16 May 2022 06:16:15 GMT; Max-Age=31536000; Secure Found. Redirecting to https://auth.tesla.com/void/callback?code=443823f30e6c3de67e2234f43a2ace4491929bc394c84e8611970811a85d&state=NDY0NjgyMGY2ZTk4&issuer=https%3A%2F%2Fauth.tesla.com%2Foauth2%2Fv3{"success":0,"message":"Bearer Token issue"}

Best regards
TuffyMouse

[keymakerfd]

Hi TuffyMouse,

can you please copy & paste the script again? I have changed one small thing in the script.
But i think your issue is then not resolved.

Questions:

• What operating system are you running the script on?
• What for a PHP-Version is running?
• do you have testet with or without MFA?

But i think the issue is maybe in point one or two.
The problem only starts where he tries to get the Bearer Token.
Before everything goes through wonderfully.

Thank you
Best regards
Key

[TuffyMouse]

Hi Key,
i tested the script exactly as posted above.
The enivornment ist a Linux-System with php 8.0.3. (tested with MacOS with same result).
I didn't use MFA.

Best regards
TuffyMouse

[keymakerfd]

hmm..

can you please add:

var_dump($token_res);

here (last row)

$token_res = json_decode($response["response"], true);
$bearer_token = $token_res["access_token"];
$refresh_token = $token_res["refresh_token"];

if(empty($bearer_token)) { return return_msg(0, "Bearer Token issue"); var_dump($token_res);}

and post the results here, please. If you see any tokens, please replace it with XXX.

[TuffyMouse]

Hi,
first: i realy appreciate your help!!

That is not the line with the error.
The line with the error is (the one with "ob_get_clean()"):
if(empty($bearer_token)) { ob_get_clean(); var_dump($token_res); return return_msg(0, "Bearer Token issue"); }
The var_dump returns a NULL.

[keymakerfd]

Hi,

i have on my server installed 2 brand new vServers:

1. Debian 9, Apache2, PHP 8.0.5 = Working
2. Debian 10, Apache2, PHP 8.0.5 = Not Working

Crazy, why its working on Debian 9 and not on Debian 10?

I try to check why, but i need maybe few days

[TuffyMouse]

Yes, strange things are going on.
The Script works for me for a couple of days.
Suddendly is does not work. Without any changes.

Best regards
TuffyMouse

[keymakerfd]

Hey,

I have tried a few things to get it to work somehow, but unfortunately I can't find a way.
It's crazy that it worked for a few days with you, then no longer.
Interesting I find that from my side only on Buster does not run.

Sorry, unfortunately I can not suggest a solution for now :-(

[TuffyMouse]

Thank you.

[keymakerfd]

Hey all,

i have updated my script, see my main topic on the top.

If you want to test it, please copy & paste the updated script.

Its working now with the new Tesla Captcha-Code.

Please try and give me a feedback for any issues.

Knowing Issues:

• Refreshing the Bearer Token
  - Debian Buster is not creating the Bearer Token

[TuffyMouse]

Hi,
the same change i had tested ;-)
The error-message is:
{"success":0,"message":"Don't find the first MFA Device (if MFA needed, if not then is the Captcha Code wrong!"}

Best regards
Tuffymouse

[keymakerfd]

Hi,

thanks for the Error-Message.

I have updated the script again.
The issue is, i can not catch whether the captcha is wrong.
And very big problem is, that i can not test without mfa.

Please try again and post maybe the new error-message.

Thank you very much :-)

[TuffyMouse]

Hi,
now i get:
{"success":0,"message":"Bearer Token issue"}

Best regards
TuffyMouse

[keymakerfd]

Hi,

cool, thank you :-)

It's looks that is working from your side with the captcha code :-)

Now you have the typical issue from the top of the thread.
If it possible try "Debian 9" from your side?

Thank you
Best regards
Key

[TuffyMouse]

Hi,
no, unfortunately i can't user Debian 9.

Thank you
Best regards
TuffyMouse

[shaven]

keymakerfd this is awesome. I am so close to having this work. I am getting an error about the bearer token. When I dump the response of that call I get a 403 as the result code.

array(2) { ["response"]=> string(287) "
Access Denied
You don't have permission to access "http://auth.tesla.com/oauth2/v3/token" on this server.
Reference #18.66b72d17.1622923900.12265964 " ["header"]=> array(37) { ["url"]=> string(38) "https://auth.tesla.com/oauth2/v3/token" ["content_type"]=> string(9) "text/html" ["http_code"]=> int(403) ["header_size"]=> int(263) ["request_size"]=> int(1722) ["filetime"]=> int(-1) ["ssl_verify_result"]=> int(0) ["redirect_count"]=> int(0) ["total_time"]=> float(0.156113) ["namelookup_time"]=> float(0.002291) ["connect_time"]=> float(0.04263) ["pretransfer_time"]=> float(0.106957) ["size_upload"]=> float(291) ["size_download"]=> float(287) ["speed_download"]=> float(1839) ["speed_upload"]=> float(1865) ["download_content_length"]=> float(287) ["upload_content_length"]=> float(291) ["starttransfer_time"]=> float(0.106964) ["redirect_time"]=> float(0) ["redirect_url"]=> string(0) "" ["primary_ip"]=> string(14) "104.92.236.187" ["certinfo"]=> array(0) { } ["primary_port"]=> int(443) ["local_ip"]=> string(13) "192.168.73.35" ["local_port"]=> int(39608) ["http_version"]=> int(3) ["protocol"]=> int(2) ["ssl_verifyresult"]=> int(0) ["scheme"]=> string(5) "HTTPS" ["appconnect_time_us"]=> int(106636) ["connect_time_us"]=> int(42630) ["namelookup_time_us"]=> int(2291) ["pretransfer_time_us"]=> int(106957) ["redirect_time_us"]=> int(0) ["starttransfer_time_us"]=> int(106964) ["total_time_us"]=> int(156113) } }

I have verified that the mfa is valid and I am getting back a code. Not sure what is next.

Thank you for any help you can provide.

Stac...

[keymakerfd]

Hello @vercorsio, thank you for your feedback and help 😊
I try it tomorrow and if it pass then I update the Script with your Solution 😊

Many thanks 🙏

[shaven]

FYI I am modifying to work at commandline without captcha. I am getting an error about this line in the first function:

if(!empty($cookies)) { curl_setopt($ch, CURLOPT_COOKIE, $cookie); }

I think the $cookie variable should be $cookies based on the variable being passed in.

Stac...

[keymakerfd]

@shaven yes, you are right, it has to be called $ cookies. I'll update with tomorrow when I've tried a new variant.

no idea why I missed that 🤷‍♂️

Thank you 🙏

[shaven]

No worries, if I had a nickel for every mistyped variable.. I would be a rich rich man!!!

This is going to make it so much easier for me to create a class around this and setup all of the api calls so that I can fix my homekit implementation. Can't tell you how nice it is to just lift up my watch and say "Hey Siri, Turn on Tesla Climate"

Thank you again for your work on figuring this out.

Stac...

[keymakerfd]

FYI I am modifying to work at commandline without captcha. I am getting an error about this line in the first function:

if(!empty($cookies)) { curl_setopt($ch, CURLOPT_COOKIE, $cookie); }

I think the $cookie variable should be $cookies based on the variable being passed in.

Stac...

Commandline without captcha, i don't it is possible. Since Tesla integrated the Captcha i don't know it is possible to login.

No worries, if I had a nickel for every mistyped variable.. I would be a rich rich man!!!

This is going to make it so much easier for me to create a class around this and setup all of the api calls so that I can fix my homekit implementation. Can't tell you how nice it is to just lift up my watch and say "Hey Siri, Turn on Tesla Climate"

Thank you again for your work on figuring this out.

Stac...

I know what do you mean with Siri, it's really cool :-)

[keymakerfd]

Hello together,

@vercorsio thank you very much, it's working, i have it tested with Debian Buster and the issue is now resolved :-)
@shaven i have changed it from $cookie to $cookies, thank you! :-)

@TuffyMouse can you please copy & paste the updated script und test if it now working on your side?

I hope the most issues are resolved in the script ^^ :-)

[keymakerfd]

Ok, i see now, Tesla has now removed the Captcha - Code.
Funny, but i let the captcha implemented for maybe the future

[TuffyMouse]

Great work! It Works!

Best regards
TuffyMouse

[manuelpaulo]

Any idea on how to get a token with controls enabled? (this doesn't) Thanks.

[keymakerfd]

mmhh, you mean control your car (forward, backward, smart summon, etc...) ?

[manuelpaulo]

Yes. TeslaFi says this token doesn't work on controls, because it "doesn't have controls enabled". So I had to give them my Tesla user/pass for them to get a token with controls available. (otherwise it would be logs only). I only needed the stop charging command. Thanks.

[manuelpaulo]

Worked last week, failing now... {"success":0,"message":"Something is wrong ... Http Header is not 302"}

[keymakerfd]

according other topics is it maybe the issue that tesla changed the captcha to recaptcha. i check this at coming saturday.

[keymakerfd]

Hello all,

as you already know, Tesla has added a recaptcha to their login procedure. With this, unfortunately, automatic logins are no longer possible.
I have adapted the script, unfortunately it is not as user-friendly as before, but it is still possible to get the tokens and send commands to the Tesla vehicle.

I also solved the refresh problem. Now you can use the Bearer Refresh Token to renew the tokens again without problems (i hope 😂).

Please use the new example code from me from now on (see my Main Topic).

Please inform me if there are further problems or if something is not understandable.

Thank you 😊

[TuffyMouse]

Hi,
i just tested your code and it works. Great job!

Best regards
TuffyMouse

[keymakerfd]

Hi TuffyMouse,
i'm appreciate. thank you for your feedback :-)

[MakoShark2]

Having some problems here.
Not sure why the response is false... was waiting for an error message at least.
array(2) { ["response"]=> bool(false) ["header"]=> array(37) { ["url"]=> string(38) "https://auth.tesla.com/oauth2/v3/token" ["content_type"]=> NULL ["http_code"]=> int(0) ["header_size"]=> int(0) ["request_size"]=> int(0) ["filetime"]=> int(-1) ["ssl_verify_result"]=> int(20) ["redirect_count"]=> int(0) ["total_time"]=> float(0.027977) ["namelookup_time"]=> float(0.015778) ["connect_time"]=> float(0.021295) ["pretransfer_time"]=> float(0) ["size_upload"]=> float(0) ["size_download"]=> float(0) ["speed_download"]=> float(0) ["speed_upload"]=> float(0) ["download_content_length"]=> float(-1) ["upload_content_length"]=> float(-1) ["starttransfer_time"]=> float(0) ["redirect_time"]=> float(0) ["redirect_url"]=> string(0) "" ["primary_ip"]=> string(23) "2a02:26f0:7900:1af::700" ["certinfo"]=> array(0) { } ["primary_port"]=> int(443) ["local_ip"]=> string(38) "2001:8a0:65bc:cc00:2d4e:9b50:5cfb:7fab" ["local_port"]=> int(50923) ["http_version"]=> int(0) ["protocol"]=> int(2) ["ssl_verifyresult"]=> int(0) ["scheme"]=> string(5) "HTTPS" ["appconnect_time_us"]=> int(0) ["connect_time_us"]=> int(21295) ["namelookup_time_us"]=> int(15778) ["pretransfer_time_us"]=> int(0) ["redirect_time_us"]=> int(0) ["starttransfer_time_us"]=> int(0) ["total_time_us"]=> int(27977) } } {"success":0,"message":"Bearer Token issue"}

[keymakerfd]

Hi together,
i'm sorry, i was for many days off.
Yeah @benderl u are right, the last step is not longer needed.
I have now updated the script in the main topic. Please try the new one.

Thank you
Best
Key

[faekz0r]

Any idea why I might be running into this:
https://pastecode.io/s/rkbphtoy (changed code from original, but all else is same).

Used
if(empty($tokens['access_token'])) { $allVars = get_defined_vars(); print_r($allVars); debug_zval_dump($allVars) ;return return_msg(0, "Token issue"); } to get such output.

[user5518]

The Code from @benderl works for me. Thank you!

Based on this change, I have rewritten the tesla_oauth2_refresh_token function:

function tesla_oauth2_refresh_token($brt)
{
    global $tesla_api_oauth2, $tesla_api_redirect, $tesla_api_owners, $tesla_api_code_vlc, $cid, $cs;

    // Get the token
    $http_header = array('Content-Type: application/json', 'Accept: application/json');
    $post = json_encode(array("grant_type" => "refresh_token", "client_id" => "ownerapi", "refresh_token" => $brt, "scope" => "openid email offline_access"));
    $response = tesla_connect($tesla_api_oauth2."/token", 1, "https://auth.tesla.com/", $http_header, $post, 0);

    $tokens = json_decode($response["response"], true);

    if(empty($tokens['access_token'])) { return return_msg(0, "Token issue"); }

    $return_message = json_encode($tokens);

    // Output
    return return_msg(1, $return_message);

}

[user5518]

And is it correct, that the new refreshed token is only valid for 28800 seconds (= 8hours)?

[benderl]

Yes, that's right.

[faekz0r]

So during troubleshooting I tried to manually refresh the token by using the following:
curl -X POST https://auth.tesla.com/oauth2/v3/token -H '{"Content-Type: application/json","Accept: application/json"}' -d \ '{"grant_type":"refresh_token","client_id":"ownerapi","refresh_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXXX...","scope":"openid email offline_access"}'

But I am getting HTTP/2 403 (Access denied) as a response.
You don't have permission to access "http://auth.tesla.com/oauth2/v3/token" on this server.

Any ideas?