p2g_console v4.3.0 - GarminAuthenticationError: failed to authenticate with Garmin. Auth appeared successful, but returned OAuth1 token is null.

[DinoChiesa]

I am seeing this error in the logs for the containerized p2g_console app.

Full context here:

...
[03:48:17 INF] Converting workouts...
[03:48:18 INF] [Fit] Backed up file /app/output/fit//331c23853f84bc4a94155e3f8b2a4be33 min Just Ride with JUST RIDE.fit
[03:48:18 INF] Uploading workouts to Garmin...
[03:48:18 ERR] Http Failed to deserialize response to target type: JSON
Flurl.Http.FlurlParsingException: Response could not be deserialized to JSON: POST https://connectapi.garmin.com/cauth-service/oauth/exchange/user/2.0. 
System.Text.Json.JsonException: The JSON value could not be converted to Garmin.Dto.OAuth2Token. Path: $ | LineNumber: 0 | BytePositionInLine: 1.
   at System.Text.Json.ThrowHelper.ThrowJsonException(Type propertyType)
   at System.Text.Json.Serialization.Converters.ObjectDefaultConverter`1.OnTryRead(Utf8JsonReader& reader, Type typeToConvert, JsonSerializerOptions options, ReadStack& state, T& value)
   at System.Text.Json.Serialization.JsonConverter`1.TryRead(Utf8JsonReader& reader, Type typeToConvert, JsonSerializerOptions options, ReadStack& state, T& value, Boolean isPopulatedValue)
   at System.Text.Json.Serialization.JsonConverter`1.ReadCore(Utf8JsonReader& reader, JsonSerializerOptions options, ReadStack& state)
   at System.Text.Json.Serialization.Metadata.JsonTypeInfo`1.ContinueDeserialize(ReadBufferState& bufferState, Utf8JsonReaderState& jsonReaderState, ReadStack& readStack)
   at System.Text.Json.Serialization.Metadata.JsonTypeInfo`1.Deserialize(Stream utf8Json)
   at System.Text.Json.JsonSerializer.Deserialize[TValue](Stream utf8Json, JsonSerializerOptions options)
   at Flurl.Http.Configuration.DefaultJsonSerializer.Deserialize[T](Stream stream)
   at Flurl.Http.FlurlResponse.GetJsonAsync[T]()
--- End of inner exception stack trace ---
[03:48:18 INF] Response: OK POST https://connectapi.garmin.com/cauth-service/oauth/exchange/user/2.0 - Date: Thu, 02 Jan 2025 03:48:18 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2AS.JaZCHMq8sb@Psn1qcTWqSYXJZGc%28eNjxh9mFd1TIhHZNBNXLAE6Rxwhdq5pzMftVUT68F6hadSxY35N8v9cw8c3p1goAvc...
NEL: {"success_fraction":0.01,"report_to":"nel","max_age":684800}
Set-Cookie: cfuvid=38WaLxrozI3gpf841SJLvZZo9BJxZued1CXOcBwGoxo-1735789698728-0.0.1.1-604800000; path=/; domain=.connectapi.garmin.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8fb7c5d0be5fb996-SEA
Alt-Svc: h3=":443"; ma=86488
- []
[03:48:20 ERR] Garmin Uploader failed to authenticate with Garmin. Auth appeared successful but returned OAuth1 token is null. oauth1Response: []
Garmin.Auth.GarminAuthenticationError: Auth appeared successful but returned OAuth1 token is null. oauth1Response: []
   at Garmin.Auth.GarminAuthenticationService.GetOAuth1Async(String ticket, ConsumerCredentials credentials, String userAgent) in /build/src/Garmin/Auth/GarminAuthenticationService.cs:line 337
   at Garmin.Auth.GarminAuthenticationService.CompleteGarminAuthenticationAsync(String loginResult, String userAgent) in /build/src/Garmin/Auth/GarminAuthenticationService.cs:line 214
   at Garmin.Auth.GarminAuthenticationService.SignInAsync() in /build/src/Garmin/Auth/GarminAuthenticationService.cs:line 193
   at Garmin.Auth.GarminAuthenticationService.GetGarminAuthenticationAsync() in /build/src/Garmin/Auth/GarminAuthenticationService.cs:line 90
   at Garmin.GarminUploader.UploadAsync(String[] files, Settings settings) in /build/src/Garmin/GarminUploader.cs:line 84
   at Garmin.GarminUploader.UploadToGarminAsync() in /build/src/Garmin/GarminUploader.cs:line 74
   at Sync.SyncService.SyncAsync(IEnumerable`1 workoutIds, ICollection`1 exclude) in /build/src/Sync/SyncService.cs:line 171

I know something about OAuth 1 and 2, and token exchange, etc. But I can't really see what's going on from these logs. I can't even see what was posted to the token exchange endpoint. But it appears the response is an empty array.

I recently updated the garmin password in the config file. Pretty sure that's correct.

Any ideas on what could cause this?

I do not have MFA Setup on this Garmin account.

Can you tell me how I can try the token exchange from here? That might help in diagnosis. I'll try looking in the code, but... no guarantees I'll be able to figure it out.

[DinoChiesa]

ooooo, just looking at the code, it looks messy with the CSRF, and the service ticket, and the OAuth1 token and the OAuth2 token. My goodness. Garmin published an API that has not been designed for easy consumption.

[DinoChiesa]

Looking at the code, it looks like it gets a service ticket, and then with THAT, tries to sign-in to request ... an OAuth1 request token?

I tried reproducing this in Powershell and got the same response: 200 OK, with an empty array as content. That looks unhelpful to an app that wants to parse out an oauth_token and oauth_token_secret from the response. I always seem to get 200 OK with an empty JSON array as a response, whether I have a valid OAuth1 signature in the Authorization header, or even if I send complete junk.

I am not sure where to go with this now. Sure looks like Garmin is not responding with a correct response here. Maybe there's nothing wrong with p2g at all, and the problem is all on the Garmin side. Is anyone else having similar problems?

PS C:\Users\dpchi\dev\peloton-to-garmin> .\invoke-auth1.ps1
GET: https://connectapi.garmin.com/oauth-service/oauth/authorize?ticket=ST-0282...&login-url=https://sso.garmin.com/sso/embed&accepts-mfa-tokens=true
200
Date: Thu, 02 Jan 2025 05:42:59 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TI81xCF6k9bNCHqxGHappCwei68WA9cibjVQs0TCLioejVyt4VEAUXqy4H5TuKsSA8EyoGw9P7HY739Fhh914ZgAe5i13C%2BAm2GTqLmJvCpUiKwdPlWl17QVyad6N7AoBydQ7N4VgA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
Set-Cookie: _cfuvid=tJC._ACLlQtC79kt3qbNOJglePkxtDgybcr5.fvXdxw-1735796579953-0.0.1.1-604800000; path=/; domain=.connectapi.garmin.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8fb86dd05af995e1-SEA
Alt-Svc: h3=":443"
Content-Type: application/json


[]

[philosowaffle]

9 times out of 10, an issue with Garmin auth is either:

1. Cloudflare/Garmin temporarily blocking you - Try again tomorrow (although VPN may help you get around this)
2. Garmin made some change to auth, which will mean its broken for everyone and we'll go on a hunt to figure out what the magic sauce is to make it work again (last time it was a UserAgent header change 🙄)
3. Obligatory reminder P2G doesn't currently support passwords with \ - just in case your new password happens to have one of those

As you've seen, Garmin's API is a disaster to reverse engineer. P2G's auth implementation is ported over from Garth. I generally try to stay in sync with this implementation as they often lead the way on all Garmin auth changes.

[DinoChiesa]

oooh, thank you for all of that information.

My p2g_console is running in Cloud Run, which means it might have a different IP Address and geo region, every time it runs. Also it runs on a schedule, repeatedly during the day, 3-4 times per hour. Would it be possible to modify the code so that it caches the initial request tokens it acquires? I will look into that. I will also investigate why CloudFlare might be blocking me. The behavior i see in the p2g_console log is the same as what I see when I try Invoke-WebRequest from powershell from my own laptop, which does not roam around, and , from which I can successfully interactively login to the connect.garmin.com webapp.

My password does not have backslash but does have other non-alphanumerics. I will check into whether that is leading to a problem.

And I'll look into Garth, too.

Cheers.

[philosowaffle]

Upon successful auth, the relevant tokens are persisted (here and here) and reused until they require refresh.

I think the OAuth2 token response is valid for 24hrs. It can be refreshed using the OAuth1 token response which I think is valid for like a year or something pretty long (been a while since I looked at it).

So long as the P2G data directory persists, it should reuse the saved auth token(s) and not attempt to fully re-authenticate until it detects the token(s) expired.

For extra context so you don't go too far down this rabbit hole: \ is the only non-alphanumeric character I'm aware of that has an issue. All others ought to work. The reason \ is problematic is because P2G stores its data and configs as JSON blobs at rest. The escape character \ doesn't play nice with my JSON serialization/deserialization.

Other thing to keep an eye on (unrelated to Garmin), folks have been rate limited by Peloton API before when querying more frequently than hourly. This results in Peloton flagging your account and forcing you to change your password. Not the end of the world, just inconvenient.

[DinoChiesa]

oh thanks for that.

regarding persistence - what you shared is important information for me if I run p2g_console in a container which has a readonly filesystem. I had mounted two directories for my p2g_console: one for configuration data (readonly) and one for output (for the .fit files , logs, etc). I did not know about the use of App.DataDirectory , or even Common.Database. I will have to investigate. I guess currently my container-based environment is not able to persist anything via Common.Database . Maybe I can modify the code to use the output directory for that purpose.

A-OK on the passwords.

Re: Peloton getting grumpy about frequent logins - I had that experience with Peloton forcing me to change my password. I had previously set the p2g_console to run every 5 minutes and that got me on the naughty list. Since I moved to every 15 minutes, and only during my own daylight hours, my Peloton account has not gotten flagged like that.

---

I just tried writing a Powershell script to replicate what Garth does for signin. It did not work. I can get the CSRF token, apply the cookies, use the proper user agent... but in response to the POST to /signin, I just see an HTML form, with the message, "An unexpected error has occurred."

Then I tried running Garth directly, and got the oauth1 and oauth2 tokens successfully,. I don't know what I missed in my own script. Anyway now I have tokens. I will look to see if I can modify p2g_console to use a specific read/write data directory. If I can, then ... I can populate that datastore with my own oauth1 and oauth2 tokens. Do you have an example of what that database file would look like? I guess it's json, but ... I don't have one at hand. All I have is the dummy datastore which looks like this:

{
  "1": {
    "encryptionVersion": 1,
    "oAuth1Token": "wwLhULFn/WJaBnG2CbHifw==",
    "oAuth2Token": "wwLhULFn/WJaBnG2CbHifw==",
    "partialGarminAuthentication": null
  }
}

[philosowaffle]

Within its own container, P2G should be able to write and save data on the container filesystem, but it won't persist across restarts which you'd notice most if you're constantly restarting P2G or are running in a serverless setup. To persist across restarts all you need is this line.

It looks like I've let this example fall out of date accidentally, it should definitely include the data mount.

[DinoChiesa]

After further review, I can simply add another r/w storage bucket for the "data" directory; that will be no problem. There will be 3 buckets, 3 mounted directories. One each for config, data, output.

I am trying to figure out what needs to go into GarminDbDb.json . End goal is to stuff in the oauth{1,2} tokens obtained via Garth, into that store, so that p2g_console can use cached values. I don't know why it cannot login using the normal path, like Garth does, and I'm trying to work around that. The login process for Garmin remains mysterious.

I figure if I can get a successful run of any version of the app, it will create a GarminDbDb.json and I can use that as an example. But I cannot get any version of the app to run successfully at this point.

Right now when I run the p2g_console app locally on my windows machine, it behaves the same way as the containerized version that runs in Google Cloud Run: they both succeed in connecting to Peloton, and fail to login to Garmin.

When I try to run ClientUI.exe from my own build (v4.3.0) it doesn't do anything. Doesn't start. I downloaded the latest stable release v4.3.1, and double-clicking that in the file explorer i get the warning "Are you sure you want to run this .exe?" I confirm, and ... again, nothing happens. I get a windows spinny wheel for a few seconds, then nothing. No error message.

Also tried docker version. Same result - it cannot login to Garmin, so it does not store anything in GarminDbDb.json .

[philosowaffle]

The GarminDb.json file you posted earlier is the correct structure, that's all there is to it. However, you can't copy/paste the raw tokens into that file because P2G stores the tokens encrypted at rest. You can poke through the code and copy the encryption keys**, but that is very down in the weeds.

** 😬 I know I should really be letting users define their own keys, not have them in source control....one day I'll get there

[DinoChiesa]

Thanks for that. I appreciate the back-and-forth, the feedback and assistance. I know you have a day job.

The token data obtained by Garth looks like this:

oauth1 token

{
    "oauth_token": "a857ad8a-f89f-baad-beef-039c761acb67",
    "oauth_token_secret": "xcyFDuZ8w1uvAN-not-real-hfvU3UZNC",
    "mfa_token": null,
    "mfa_expiration_timestamp": null,
    "domain": "garmin.com"
}

And oauth2 token

{
    "scope": "COMMUNITY_COURSE_READ ...numerous other scopes here",
    "jti": "a1e459c9-61e9-40ae-b991-d537ed4eac1e",
    "token_type": "Bearer",
    "access_token": "eyJ.....tA",
    "refresh_token": "ey...==",
    "expires_in": 75520,
    "expires_at": 1735920665,
    "refresh_token_expires_in": 2591999,
    "refresh_token_expires_at": 1738437144
}

So, what does GarminDbDb store? Only the token value? I would think it would need more than that. I haven't looked at the code.

In any case I was able to successfully do the Garmin Auth dance from within powershell. I don't know what's different between my powershell script and the GarminAuthenticationService + ApiClient. Investigating.

[DinoChiesa]

hmmmm I'm not sure exactly what the problem was. I changed a couple things and p2g_console can now login to Garmin.

• the referer headers now exactly match what Garth sends
• uses a small, internal OAuthV1 library, with better logging.

And it works now.

See #708 for the changes I made. It is now working

• as a standalone app
• running in a docker container locally
• running within Cloud Run

I don't know if you can merge #708 ; I know you have been working on a dotnet 9 version. But the OAuthV1 helper class ought to work just fine.

I didn't test the MFA path.

[DinoChiesa]

BTW yesterday I received a notification in my inbox from Garmin that I needed to reset my password. But I also saw in the news that Garmin Connect experienced an outage this morning. Not sure if related or coincidental.

It's possible that setting p2g_console to login every 15 or 30 minutes is triggering something on the Garmin side. I would think that caching the OAuth tokens would eliminate that problem , because it eliminates the "Sign in" part. I need to look more closely at this when I get back to my desk.