Remember folks, "token exchange" does *not* mean "let me exchange a customer ID for a token"!
Good thread on how remotely connected Honda, Nissan, Infiniti, and Acura cars were all able to be remotely controlled knowing only the VIN.
It returned "200 OK" and returned a bearer token! This was exciting, we were generating some token and it was indexing the arbitrary VIN as the identifier.
To make sure this wasn't related to our session JWT, we completely dropped the Authorization parameter and it still worked!
Dec 1, 2022 · 7:36 PM UTC
2
1
12