[bloozemanAZ]

     Featured on BIMMERPOST.com

As mentioned in the "Spotify and maps traffic data stopped working" thread I hit a BMW cloud bug in the My BMW Android app on my Google Pixel 3XL. The back story is last Thursday when I tried to open the My BMW app on my Pixel the app prompted me to login again. When doing so it opened up the browser to the core login.bmwusa.com site which I do not remember if that was initially the case with the app. However, after entering my username and password I just ended up with an error and after trying again to the same result I gave up. I figured BMW was having an issue and would try again later.

Same result over the weekend as well as yesterday so each time I just used the legacy app as it is still active and was working perfectly. Today I decided to install the new app on my work iPhone and had no issues logging in but was getting the same error on my Pixel. So this time I actually looked at the error message (had to zoom as it is tiny) and it appears to be an error with the token (likely Oauth2) being passed back from the login to the app. So I dug into the actual URL being utilized for the login process and it's a monster with the redirect going back to com.bmw.connected and expected an oauth client id included.

For an experiment I logged out of the iOS app and logged back in and captured its login URL. Copied that and sent it to myself via Gmail so I could use it to insert in the same step for the Android app. Low and behold I logged in and the My BMW app is now working on my Pixel again. Thus, ultimately BMW has themselves a bit of an issue with the Android app in regards to the URL generated to authorized the connected app service post authentication.

If anyone out there encounters the same issue just use the following in the Chrome browser session the My BMW app triggers for the authentication:

https://login.bmwusa.com/oneid/#/log...app&country=US

Never expected the need to hack a login for the new My BMW app but then again as I've said at least 100 times BMW can't fight their way out of a paper bag in the digital world.

[ctelimad]

Quote:

Originally Posted by bloozemanAZ

As mentioned in the "Spotify and maps traffic data stopped working" thread I hit a BMW cloud bug in the My BMW Android app on my Google Pixel 3XL. The back story is last Thursday when I tried to open the My BMW app on my Pixel the app prompted me to login again. When doing so it opened up the browser to the core login.bmwusa.com site which I do not remember if that was initially the case with the app. However, after entering my username and password I just ended up with an error and after trying again to the same result I gave up. I figured BMW was having an issue and would try again later.

Same result over the weekend as well as yesterday so each time I just used the legacy app as it is still active and was working perfectly. Today I decided to install the new app on my work iPhone and had no issues logging in but was getting the same error on my Pixel. So this time I actually looked at the error message (had to zoom as it is tiny) and it appears to be an error with the token (likely Oauth2) being passed back from the login to the app. So I dug into the actual URL being utilized for the login process and it's a monster with the redirect going back to com.bmw.connected and expected an oauth client id included.

For an experiment I logged out of the iOS app and logged back in and captured its login URL. Copied that and sent it to myself via Gmail so I could use it to insert in the same step for the Android app. Low and behold I logged in and the My BMW app is now working on my Pixel again. Thus, ultimately BMW has themselves a bit of an issue with the Android app in regards to the URL generated to authorized the connected app service post authentication.

If anyone out there encounters the same issue just use the following in the Chrome browser session the My BMW app triggers for the authentication:

https://login.bmwusa.com/oneid/#/log...app&country=US

Never expected the need to hack a login for the new My BMW app but then again as I've said at least 100 times BMW can't fight their way out of a paper bag in the digital world.

I had the same issue on my samsung
Easy solution
In the setting menu of your phone change your default browser on the chrome app (go to chrome app and change default browser to samsung internet or anything other then chrome ) and login in again and it should work
After log in go back and put chrome ur default browser

[bloozemanAZ]

Quote:

Originally Posted by ctelimad

I had the same issue on my samsung
Easy solution
In the setting menu of your phone change your default browser on the chrome app (go to chrome app and change default browser to samsung internet or anything other then chrome ) and login in again and it should work
After log in go back and put chrome ur default browser

Good info for the fellow Android brethren out there running Samsung hardware. Catch-22 is on a Pixel Chrome is default given it 100% pure Android and to some extent it is embedded into the OS. Thus, there is no other option, e.g., Samsung Internet. It's definitely not a Chrome "bug" as in it can properly authenticate and pass oauth2 tokens back to apps all day long and originally the My BMW app didn't have any issues whatsoever.

Given your "fix" I'm guessing it is how the BMW app is calling a "3rd party" app aka the Browser. For grins I can change my default browser to the latest Chromium based Edge as it is installed given it is the inherent default for the Intune MAM controlled apps in the work world of my Pixel. If it too fails it would support the issue calling a "3rd party" app.

Side note for the fellow IT geek aka limeypride on the forum I am running a private pilot of Intune MAM as every other mobile device connecting to our M365 world is on full MDM. I initially drove the Intune MDM rollout for our mobile devices and then shifted it to also control our corporate laptops via hybrid joined AAD plus conditional access policies. Like all of my prior IT CTO gigs the first relationship made was with the CISO. Thus, I got us off the abysmal Citrix Zen Mobile solution that was in play when I joined as frankly the user experience was so poor I refused to use it.

[snowbimmer]

Quote:

Originally Posted by bloozemanAZ

Quote:

Good info for the fellow Android brethren out there running Samsung hardware. Catch-22 is on a Pixel Chrome is default given it 100% pure Android and to some extent it is embedded into the OS. Thus, there is no other option, e.g., Samsung Internet. It's definitely not a Chrome "bug" as in it can properly authenticate and pass oauth2 tokens back to apps all day long and originally the My BMW app didn't have any issues whatsoever.

Given your "fix" I'm guessing it is how the BMW app is calling a "3rd party" app aka the Browser. For grins I can change my default browser to the latest Chromium based Edge as it is installed given it is the inherent default for the Intune MAM controlled apps in the work world of my Pixel. If it too fails it would support the issue calling a "3rd party" app.

Side note for the fellow IT geek aka limeypride on the forum I am running a private pilot of Intune MAM as every other mobile device connecting to our M365 world is on full MDM. I initially drove the Intune MDM rollout for our mobile devices and then shifted it to also control our corporate laptops via hybrid joined AAD plus conditional access policies. Like all of my prior IT CTO gigs the first relationship made was with the CISO. Thus, I got us off the abysmal Citrix Zen Mobile solution that was in play when I joined as frankly the user experience was so poor I refused to use it.

Jesus. You lost me after "Good info......"

[bloozemanAZ]

Quote:

Originally Posted by snowbimmer

Jesus. You lost me after "Good info......"

and I likely should have prefaced it all with "excuse the in depth geek explanation from a 30 year veteran whom knows more about it than the car he drives".

[bloozemanAZ]

The My BMW "bug" with Chrome on my Google Pixel hit again yesterday and carried over to today. Ultimately I installed Firefox and just for the My BMW login set it to the default browser. It still puzzles me as to why the BMW login fails with Chrome as per the detailed error message plus URL parameters it is using Oauth2 authentication. I do this dozens a times a day on my Pixel via Chrome as Oauth2, OpenID and SAML are used for federation by dozens of apps on my phone given they are the industry standard.

[__AD__]

Quote:

Originally Posted by bloozemanAZ

The My BMW "bug" with Chrome on my Google Pixel hit again yesterday and carried over to today. Ultimately I installed Firefox and just for the My BMW login set it to the default browser. It still puzzles me as to why the BMW login fails with Chrome as per the detailed error message plus URL parameters it is using Oauth2 authentication. I do this dozens a times a day on my Pixel via Chrome as Oauth2, OpenID and SAML are used for federation by dozens of apps on my phone given they are the industry standard.

This brings back memories of past years debugging OAuth traces and browser redirects during my stint as an Identity architect/engineer. My guess is either the BMW devs are messing with redirect URLs for the app and forgot to put one back in on the IdP config, your browser updated and there's some increased security on the post redirect behavior (framed, reading another URL's cookies on redirect, etc.), or just a general cookie issue with the post URL (cookie samesite specifier changed perhaps). My good old friend Fiddler would usually sort this out in 10-15 minutes, but I refuse to get that deep these days. 😊

[bloozemanAZ]

Quote:

Originally Posted by __AD__

Quote:

This brings back memories of past years debugging OAuth traces and browser redirects during my stint as an Identity architect/engineer. My guess is either the BMW devs are messing with redirect URLs for the app and forgot to put one back in on the IdP config, your browser updated and there's some increased security on the post redirect behavior (framed, reading another URL's cookies on redirect, etc.), or just a general cookie issue with the post URL (cookie samesite specifier changed perhaps). My good old friend Fiddler would usually sort this out in 10-15 minutes, but I refuse to get that deep these days.

Agreed with all you stated and if Fiddler was available as a mobile phone app I would have leveraged it as it's my go to on the work front to diagnose the situation. That said I'm glad to have another IT geek on the forum besides myself and limeypride.

[__AD__]

Quote:

Originally Posted by bloozemanAZ

Quote:

Agreed with all you stated and if Fiddler was available as a mobile phone app I would have leveraged it as it's my go to on the work front to diagnose the situation. That said I'm glad to have another IT geek on the forum besides myself and limeypride.

Run fiddler on your laptop on the same network as your phone and enable remote connections in the Fiddler menu. Set it as the proxy on your mobile's wifi settings (laptop ip:8888). Navigate to the laptop IP:8888 and install the fiddler cert. Enjoy Fiddler for mobile showing up on your laptop 🙂. On iPhone, you'll have to do a couple more steps to trust the cert in a couple menus. Very handy.

[bloozemanAZ]

Quote:

Originally Posted by __AD__

Quote:

Run fiddler on your laptop on the same network as your phone and enable remote connections in the Fiddler menu. Set it as the proxy on your mobile's wifi settings (laptop ip:8888). Navigate to the laptop IP:8888 and install the fiddler cert. Enjoy Fiddler for mobile showing up on your laptop . On iPhone, you'll have to do a couple more steps to trust the cert in a couple menus. Very handy.

Once again you're spot on and would have gone that route vs the simplicity of a Fiddler app on the phone. Ultimately, based on the original issue it tied back to Chrome on my Pixel so the easy fix was just to download Firefox, set it as default and log in. Back to Chrome as the default browser as everything else works. Hence, an issue with the My BMW Oauth2 authentication with the browser POST or cookies vs any other app.