I try to set a auth cookie. The ui and the data server are under different subdomains. So I need to activate CORS.
services.AddCors(options => options.AddPolicy("SubdomainDefault", builder => builder
.WithOrigins("https://ui.domain.de")
.AllowCredentials()
.AllowAnyHeader()
.Build()
));
On the same subdomain the cookie is set, but with different subdomains it is visible in the headers, but not set.
Request URL: https://server2.domain.de/...
Request Method: POST
Status Code: 200 OK
Remote Address: X.X.X.X:443
Referrer Policy: strict-origin-when-cross-origin
Response Header
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://ui.domain.de
Content-Length: 1017
Content-Type: application/json; charset=utf-8
Date: Fri, 29 Oct 2021 10:27:11 GMT
Server: Microsoft-IIS/8.5
Set-Cookie: auth=XXX; domain=.domain.de; path=/; secure; samesite=strict; httponly
Vary: Origin
X-Powered-By: ARR/3.0
Request Headers
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: de-DE,de;q=0.9,en;q=0.8,en-US;q=0.7
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 0
Host: server2.domain.de
Origin: https://ui.domain.de
Pragma: no-cache
Referer: https://ui.domain.de/
sec-ch-ua: "Google Chrome";v="95", "Chromium";v="95", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Has anyone a idea?
Assuming your second request is actually a XMLHttpRequest you need to set the withCredentials flag, otherwise the cookies are not sent.
Here's an excerpt from https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#requests_with_credentials:
const invocation = new XMLHttpRequest();
const url = 'https://bar.other/resources/credentialed-content/';
function callOtherDomain() {
if (invocation) {
invocation.open('GET', url, true);
invocation.withCredentials = true;
invocation.onreadystatechange = handler;
invocation.send();
}
}
Related
Using Directus online (https://projectcode.directus.app install of local or server install). I can successfully create item but data I send is always null.
This is happening running my code
axios.post(
`${endpoint}/items/collection_name`,
{ data: { "field_name": "testthis" } },
{ headers: headers }
);
And using Postman. Result is always
date_created: "2022-05-05T13:55:47"
id: 14
field_name: null
I can get items, search and filter with no issue. What am I missing?
ETA: Postman works with graphql and query
mutation {
create_collection_name_item(data: { field_name: "Hello again!" }) {
field_name
}
}
So why is api getting null values?
ETA 2: Postman api headers
Request
Authorization: Bearer the_very_long_token
User-Agent: PostmanRuntime/7.29.0
Accept: */*
Cache-Control: no-cache
Postman-Token: 45943ddb-5c60-4d45-8887-a05207f9469e
Host: k2g2xa7b.directus.app
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Response
Content-Type: application/json; charset=utf-8
Content-Length: 135
Connection: keep-alive
Date: Mon, 09 May 2022 14:04:54 GMT
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: Content-Range
Cache-Control: no-cache
Content-Security-Policy: script-src 'self' 'unsafe-eval';worker-src 'self' blob:;child-src 'self' blob:;img-src 'self' data: blob: https://cdn.directus.io;media-src 'self' https://cdn.directus.io;connect-src 'self' https://*;default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';object-src 'none';script-src-attr 'none';style-src 'self' https: 'unsafe-inline'
Etag: W/"87-n/ABsgX1O7F1qQ7x0xdJgMV7VDc"
Server: Caddy
Vary: Origin, Cache-Control
X-Powered-By: Directus
X-Cache: Miss from cloudfront
Via: 1.1 dcd16c430149132ea12a5783d54ff114.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: YTO50-P2
X-Amz-Cf-Id: Z19onMWqxvINuZ7iMQIJQeSRFrgW12a4gxZtcWPyubaWQCeaUnfLfA==
What headers do you provide? It seems that Content-Type is not determined automatically, so it may be as simple as including Content-Type: application/json in your headers.
in python:
import requests, json
token = 'your token'
headers = {
'Accept': 'application/json, text/plain, */*',
'Accept-Encoding': 'gzip, deflate, br',
'Accept-Language': 'en-US,en;q=0.5',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36',
'Content-Type': 'application/json',
'Authorization': f"Bearer {token}",
}
payload = [
{
"title" : "my first item",
}
]
r= requests.post(
url = "https://cms.uat.<your subdomain>.com/items/<your collection>",
data = json.dumps(payload),
headers = headers
)
print(r.json())
I am trying to log in to the pge.com website using Google Apps Scripts, with my username and password, so that I can retrieve my electricity consumption details. The need is similar to this thread
I have inspected network calls during login but I cannot figure out how my username and password are passed.
I can see two subsequent calls to the login service.
First request (doesn't seem to carry a payload):
**General**
Request URL: https://apigprd.cloud.pge.com/myaccount/v1/login?ts=1614544850626
Request Method: OPTIONS
Status Code: 200 OK
Remote Address: 130.19.47.120:443
Referrer Policy: strict-origin-when-cross-origin Response Headers
** Response Headers **
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: authorization
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Origin: https://www.pge.com
Content-Encoding: gzip
Content-Length: 59
Content-Type: text/plain;charset=UTF-8
Date: Sun, 28 Feb 2021 20:40:50 GMT
Set-Cookie: TS01ef76cb=015399e11<...>dc1f; Path=/; Domain=.apigprd.cloud.pge.com
X-Tracking-ID
X-Transaction-ID: 00000177b2ec4203-10baebc
** Request Headers **
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Access-Control-Request-Headers: authorization
Access-Control-Request-Method: GET
Connection: keep-alive
Host: apigprd.cloud.pge.com
Origin: https://www.pge.com
Referer: https://www.pge.com/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
A subsequent request is then made:
** General **
Request URL: https://apigprd.cloud.pge.com/myaccount/v1/login?ts=1614544850626
Request Method: GET
Status Code: 200 OK
Remote Address: 130.19.47.120:443
Referrer Policy: strict-origin-when-cross-origin
** Response Headers **
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers
Access-Control-Allow-Origin: https://www.pge.com
Content-Encoding: gzip
Content-Length: 101
Content-Type: application/json;charset=UTF-8
Date: Sun, 28 Feb 2021 20:40:50 GMT
set-cookie: PF=cuLZ7Vh4y6keKdWEzXVaxD4kzuePT0wcOOyvxZ6V3u0K; Path=/; Domain=.cloud.pge.com; Secure; HttpOnly
set-cookie: PA.ToI.CustomerWeb=eyJhb<...>MifQ..8p6<...>iqw.1BewS--tpmP<...>3fo-rbtoh-<...>Egz-acEIN58H-dO<...>rWR-Q<...>w; Path=/; Domain=pge.com; Secure; HttpOnly
Set-Cookie: TS01ef76cb=015399e11<...>ec2d9; Path=/; Domain=.apigprd.cloud.pge.com
Set-Cookie: TS01d056a5=015399e11<...>2fc17; path=/; domain=pge.com
X-Tracking-ID
X-Transaction-ID: 0000017602681258-9359011
** Request Headers **
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Authorization: Basic bWFy<...>wc2U=
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Cookie: optimizelyEndUserId=oeu1<...>2r0.2464<....>336; oo_inv_percent=0; _gcl_au=1.1.1250622131.1614535637; AMCVS_DF70BB6B55BA62677F000101%40AdobeOrg=1; s_cc=true; _ga=GA1.2.676<...>72.1614535638; _gid=GA1.2.127<...>54.1614535638; _fbp=fb.1.1614535638419.135544411; userLanguageSelected=English; com.silverpop.iMAWebCookie=654ee074-<...>-<...>-0784-4940b13c1dc8; CARE_LANG=English; BIGipServer~Prod~P-itiampingaccess.cloud.pge.com-pool=1796742666.54795.0000; com.silverpop.iMA.session=2764a7b2-1c77-<...>-<...>-b56816c03631; com.silverpop.iMA.page_visit=2144181430:; s_sq=%5B%5BB%5D%5D; PF=dyxdIf<...>wnCDfDTC4EeNVNzFtF3; care_hashed_acct_id=811067339<...>E559C253; PGE_EN=4nx9s6<...>NigxfgqMgNTc/Hs7mt6oL<...>M3oG2lGBv+FNpQhj4U1N8YVv<...>TEUP1x9NU5QJQPcImd/s3FVCFgLy<...>qhrhuv+HQ1J/OANiGah+0exaD2ScPRBd3MQ/+4EqtzOEbpsjjKDKN<...>qe+mOMjkjZ0otbEknx5I7Z1p8w/KxI0fvwT32RBc5U+92j6CxxIDoYwm3KlmCQ==; TS01d056a5=015399e11<...>e65810; TS01ef76cb=015399e11<...>73b336; ADRUM=s=1614544835448&r=https%3A%2F%2Fm.pge.com%2Findex.html%3F35; oo_OODynamicRewrite_weight=0; oo_inv_hit=3; AMCV_DF70BB6B55BA62677F000101%40AdobeOrg=-1303530583%7C<...>Bpb2zX5dvJdYQJzPXImdj0y%7CMCOPTOUT-1614552037s%7CNONE%7CMCAID%7CNONE%7CMCSYNCSOP%7C411-18694%7CvVersion%7C3.3.0; OptanonConsent=isIABGlobal=false&datestamp=Sun+Feb+28+2021+12%3A40%3A37+GMT-0800+(Pacific+Standard+Time)&version=6.1.0&consentId=749474e8-c692-470b-be09-77aa32646232&interactionCount=0&landingPath=NotLandingPage&groups=C0001%3A1%2CC0002%3A1%2CC0003%3A1%2CC0004%3A1%2CC0005%3A1&hosts=&legInt=&AwaitingReconsent=false; _dc_gtm_UA-64722139-1=1; _gat_UA-77056718-1=1; s_tp=2617; s_ppv=PG%2526E%252C%2520Pacific%2520Gas%2520and%2520Electric%2520-%2520Gas%2520and%2520power%2520company%2520for%2520California%2C35%2C35%2C914; s_plt=3.13; utag_main=v_id:0177e9d2<...>78001407000ac8$_sn:2$_ss:1$_st:1614546650462$vapi_domain:pge.com$dc_visit:8$_pn:1%3Bexp-session$ses_id:1614544836893%3Bexp-session$dc_event:2%3Bexp-session$dc_region:us-east-1%3Bexp-session
Host: apigprd.cloud.pge.com
Origin: https://www.pge.com
Referer: https://www.pge.com/
sec-ch-ua: "Chromium";v="88", "Google Chrome";v="88", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
How can I use the Google Apps Script to login?
PS I have tried the following:
function loginPge() {
var baseUrl = "https://apigprd.cloud.pge.com/myaccount/v1/login";
var now = Date.now();
var url = baseUrl + '?ts=' + now;
var payload =
{
"username" : "xxx",
"password" : "xxx",
};
var headers =
{
"Accept":"*/*",
"Accept-Encoding": "gzip, deflate, br",
"Accept-Language": "en-US,en;q=0.9",
"Access-Control-Request-Headers": "authorization",
"Access-Control-Request-Method": "GET",
"Connection": "keep-alive",
"Origin": "https://www.pge.com",
"Referer": "https://www.pge.com/",
"Sec-Fetch-Dest": "empty",
"Sec-Fetch-Mode": "cors",
"Sec-Fetch-Site": "same-site",
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36"
};
var options =
{
"headers":headers,
"method" : "get",
"payload" : payload,
"followRedirects" : false
};
var login = UrlFetchApp.fetch(url, options);
return;
}
But I am getting an error message
Exception: Request failed for https://apigprd.cloud.pge.com returned
code 400. Truncated server response: {"user": "unknown",
"errorCode":"33"}
I am a little late, but maybe it helps someone else.
The username and password are sent in 'Authorization' header. I figured out the value for this header by inspecting the login page source where it appears as:
<set-header value="Basic base64($username:$password)" name="Authorization"></set-header>
Below is Python code to login and get user details:
import requests
import base64
username = 'test'
password = 'test'
session = requests.Session()
auth = ':'.join([username, password]).encode('utf8')
headers = {
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:88.0) Gecko/20100101 Firefox/88.0',
'Accept': '*/*',
'Accept-Language': 'en-US,en;q=0.5',
'Content-Type': 'application/x-www-form-urlencoded',
'Authorization': 'Basic {}'.format(
base64.b64encode(auth).decode('utf8')
),
'Origin': 'https://www.pge.com',
'Connection': 'keep-alive',
'Referer': 'https://www.pge.com/',
}
resp = session.get(
'https://apigprd.cloud.pge.com/myaccount/v1/login',
headers=headers
)
print(resp.json()) # get the json response
headers = {
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:88.0) Gecko/20100101 Firefox/88.0',
'Accept': 'application/json, text/javascript, */*; q=0.01',
'Accept-Language': 'en-US,en;q=0.5',
'Content-Type': 'application/json',
'X-RAS-API-USERKEY': 'pgecocmobile',
'cocGUID': 'null',
'Origin': 'https://m.pge.com',
'Connection': 'keep-alive',
'Referer': 'https://m.pge.com/',
}
params = (
('userId', username),
)
resp = session.get(
'https://apigprd.cloud.pge.com/myaccount/v1/cocaccount/secure/account/retrieveMyEnergyAccounts',
params=params, headers=headers
)
print(resp.json()) # get the json response with acc details
I have an API call on my front end application that uses Axios to make a PUT request. This works from postman but in the browser I get the 415 error. Here are the browser headers:
General
Request URL: api.example.com/foo
Request Method: OPTIONS
Status Code: 415 Unsupported Media Type
Remote Address: ip.address:443
Referrer Policy: no-referrer-when-downgrade
Response Headers
Access-Control-Allow-Headers: content-type
Access-Control-Allow-Methods: GET, PUT, POST, DELETE, HEAD, OPTIONS
Access-Control-Allow-Origin: *
Content-Length: 175
Content-Type: application/problem+json; charset=utf-8
Date: Mon, 13 Jan 2020 20:03:06 GMT
Request-Context: appId=guid
Server: Microsoft-IIS/10.0
Strict-Transport-Security: max-age=2592000
X-Powered-By: ASP.NET
Request Headers
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Access-Control-Request-Headers: content-type
Access-Control-Request-Method: PUT
Cache-Control: no-cache
Connection: keep-alive
Host: api.example.com
Origin: http://localhost:3000
Pragma: no-cache
Referer: http://localhost:3000/extension
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
My request looks like this:
const url = 'https://api.example.com/foo';
const headers = {
'Content-Type': 'application/json; charset=UTF-8'
};
const data = JSON.stringify([{"name": "SomeName","date": "2020-01-30T14:50:56.636Z"}]);
axios.put(
url,
data,
{headers: headers}
)
.then(res => {
console.log(res);
})
.catch((e) => {
console.log(e);
});
My API is a .net core application. Thank you friends!
I figured out the problem; in the API, the options handlers had some parameters (since I copy pasta'd the PUT request for options) and the browser wasn't sending the parameters in the preflight check, so I was getting 415. Once I removed the parameters, it worked fine!
I want process a POST request with axios in a vuejs project, but axios never send correct csrf cookie. My vuejs project run in dev mode on port 8080, my server (Spring Boot) on port 9090. I set correct CORS filter for localhost:8080 and 127.0.0.1:8080, OPTIONS is accepted, but I get a 403 error on my POST.
Here my code :
axios.post("http://127.0.0.1:9090/api/security/authenticate",
this.form,
{
withCredentials: true,
xsrfCookieName: 'XSRF-TOKEN',
xsrfHeaderName: 'X-XSRF-TOKEN'
}
).then((response) => {
console.log("Data: " + response.data);
}).catch((error) => {
console.log("post error: " + error);
});
And here the result of my OPTIONS request on chromium :
GENERAL:
Request URL: http://127.0.0.1:9090/api/security/authenticate
Request Method: OPTIONS
Status Code: 200
Remote Address: 127.0.0.1:9090
Referrer Policy: no-referrer-when-downgrade
RESPONSE HEADERS :
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: content-type
Access-Control-Allow-Methods: POST
Access-Control-Allow-Origin: http://127.0.0.1:8080
Content-Length: 0
Date: Wed, 11 Dec 2019 21:44:07 GMT
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
REQUEST HEADERS :
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
Access-Control-Request-Headers: content-type
Access-Control-Request-Method: POST
Connection: keep-alive
Host: 127.0.0.1:9090
Origin: http://127.0.0.1:8080
Referer: http://127.0.0.1:8080/login
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) snap Chromium/78.0.3904.108 Chrome/78.0.3904.108 Safari/537.36
And my POST :
GENERAL:
Request URL: http://127.0.0.1:9090/api/security/authenticate
Request Method: POST
Status Code: 403
Remote Address: 127.0.0.1:9090
Referrer Policy: no-referrer-when-downgrade
RESPONSE HEADERS :
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://127.0.0.1:8080
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Type: application/json;charset=UTF-8
Date: Wed, 11 Dec 2019 21:44:07 GMT
Expires: 0
Pragma: no-cache
Transfer-Encoding: chunked
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
REQUEST HEADERS :
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: keep-alive
Content-Length: 56
Content-Type: application/json;charset=UTF-8
Cookie: XSRF-TOKEN=428229a0-b2b1-4473-ab3a-557e4dbac1b1
Host: 127.0.0.1:9090
Origin: http://127.0.0.1:8080
Referer: http://127.0.0.1:8080/login
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) snap Chromium/78.0.3904.108 Chrome/78.0.3904.108 Safari/537.36
REQUEST PAYLOAD :
{login: "xxx", password: "xxx", rememberme: false}
login: "xxx"
password: "xxx"
rememberme: false
The CSRF cookie sent (428229a0...) is not correct. Previously in a GET request, I obtained an other CSRF token (70705d00...). Why wrong csrf cookie was sent ?
To be sure that is not the result of dev mode from vuejs, I build my project and deploy it on nginx server, but I got same result. I try also on firefox, get same error.
In package.json, axios is in version "^0.19.0", vuejs "^2.6.10".
What is wrong in my code ? Or is about configuration of my server ?
Thanks for your help!
I want to make google api calls to send mail via gmail.
To do that, I first make the following request to oauth server:
https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=SOMECLIENTID&access_type=offline&redirect_uri=http://localhost:63878/Default.aspx&scope=https://www.googleapis.com/auth/gmail.send
Note that in my request, I have included access_type=offline
It redirects me to POST https://accounts.google.com/AccountChooser and I login using my account, give consent, and get redirected back to this page:
HTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Wed, 01 Jun 2016 06:30:37 GMT
Location: http://localhost:63878/Default.aspx?code=4/LF9pQo8EH-SZkkDJV0ttNnVMIwjwWLgnc-H-QjLg__k#
Content-Language: en
Content-Encoding: gzip
as seen on fiddler.
Now using this code, I make a second call:
POST https://www.googleapis.com/oauth2/v4/token HTTP/1.1
Host: www.googleapis.com
Connection: keep-alive
Content-Length: 266
Cache-Control: no-cache
Origin: chrome-extension://fhbjgbiflinjbdggehcddcbncdddomop
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Postman-Token: e9716588-2f62-d761-1c07-41c6dc057f0f
Accept: */*
X-Client-Data: CIm2yQEIorbJAQjEtskBCLKVygEI/ZXKAQjgmMoBCO2cygE=
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8
code=4/LF9pQo8EH-SZkkDJV0ttNnVMIwjwWLgnc-H-QjLg__k#&client_id=SOMECLIENTID&client_secret=SOMESECRET&redirect_uri=http%3A%2F%2Flocalhost%3A63878%2FDefault.aspx&grant_type=authorization_code
The response I get is:
{
"access_token":"ya29.CjLzAuW07My8BHnaMaLWjhKsD2FvzI6SpUHqdqQwkugTW4lMnQl0rXt6cQdm0ir4RObYEg",
"token_type": "Bearer",
"expires_in": 3557
}
Why does this not include the refresh token in the response?