Set-Cookie header returns multiple entries, which do I use?

[nikemeal]

As the title suggests, I make the call with:

'client_id' => 'ownerapi',
'code_challenge' => 'my challenge code',
'code_challenge_method' => 'S256',
'redirect_uri' => 'https://auth.tesla.com/void/callback',
'response_type' => 'code',
'scope' => 'openid email offline_access',
'state' => 'a random string'

to 'https://auth.tesla.com/oauth2/v3/authorize' and get back the 302 redirect with the set-cookie headers. The issue is that I get back multiple headers with the key set-cookie so I get three like this:

['set-cookie', 'tesla-auth.sid=s%3ATjaWitngN5nQcHzunZTtjFtKtfYN_tEF.kRMD0rkqi0CbFeLyUD0hSbXfrcNWM2SKJDOR02X2sn0; Path=/; Expires=Sun, 04 Jul 2021 15:13:16 GMT; HttpOnly; Secure; SameSite=Lax']

['set-cookie', 'bm_sz=FDF94897DF3D4DA578C41EC19F4CC715~YAAQn7D3SHLfgV56AQAAcJuhYgwDMEHFmlWQAvMdflZmXE3dTKNtSVFA02oYq9kd6WNetYJb1+CQ6pONFN1tjMkUlE/Qb29o1MXTOmFWOMOPwPe0qNuio8UTuQ1WbujM4PevvehGwjRNuoYLA9jSzeN1X4839zwa5cBaxG0TLjGNqY8CGbTQiCkc3OtMivs=; Domain=.tesla.com; Path=/; Expires=Thu, 01 Jul 2021 19:13:15 GMT; Max-Age=14399; HttpOnly']

['set-cookie', '_abck=A977C5B7F4066961DC31FC511C381642~-1~YAAQn7D3SHPfgV56AQAAcJuhYgbDSlvn2ZsDy6wjZeqQmtZOtA2v8gYqG7+6jaL6U1XfrW7vqs5kIGWuaexUk0ImHMME9Z8I6dqeCOnXlP1c1o0quF7rJBsrYOCngYc4A8htXbAHlOEugfQzv+JA2ZKORyeh3rG3GpYtzHowQGTRncuIcKD0+3g0YjkF7lp0o7weCek9vvy4mgZsAkHGYoeHn0JqLs5ZqzPRyIiZTM9GhkPUTKtQZxRz4aB/0TPNSLAQTwjUVdhbIIDi9kIvlVMgcAHfF9jRSw3VXGjNcJbCSM/zI97/hueXRe2k4tZbwEBo0IIWjRRBvLSOjEaMoWwQ4jdydnfiCMgSyrZdRJCy5dzxPLSJdg==~-1~-1~-1; Domain=.tesla.com; Path=/; Expires=Fri, 01 Jul 2022 15:13:16 GMT; Max-Age=31536000; Secure']

So the question is, when I then have to send that cookie back with the body fields of csrf, transaction-id, etc do i send it as one header with all those three imploded by a space, or do i set multiple Cookie: headers with one entry per header, or do i just use one of those entries on its own?

I'm at the point now that I send all of that to the authorize url but get back the location header of the same url i posted to, and not the one with code= in the location header and I don't know if it's due to the cookie or something else. From what I've read I should be getting back either the header with a code= in the location one, or redirected back to a page that has a passcode for MFA authentication but i just get back the very same location request i sent

[nikemeal]

I hate myself! After pretty much going through every step from the start again to see what I might have missed, I noticed that my email for the identity field I'd typed as ,.co.uk instead of .co.uk
So me getting the 302 was it redirecting me back to the same page because my login was incorrect not because I was doing something wrong.
I updated it and got back the 200 OK page with the passcode instead.

For future reference though (as I think others had correctly noted) you need all parts of the cookies combined, so when looping through headers I had adjusted one of the other examples in discussions to just be this

if (isset($tmp[strtolower($h[0])])) {
    $tmp[strtolower($h[0])] = sprintf("%s %s", $tmp[strtolower($h[0])], isset($h[1]) ? $h[1] : $h[0]);
} else {
    $tmp[strtolower($h[0])] = isset($h[1]) ? $h[1] : $h[0];
}

so if it finds a header key already existing it just appends the new part to the end separated by a space. Sending this worked for me, so I guess my answer was send as one header imploded by space AND MAKE SURE YOU ENTER YOUR DAMN EMAIL CORRECTLY!

[iqtedar123]

How many set-cookie values do you get back? I get 4. Do you pass the entire cookie to the string? Including the expires field? Can you post an example of what a typical cookie looks like?
Thanks.

[JonG67x]

I only pass the cookie starting tesla-auth.sid. I keep meaning to pass the others to see if it gets rid of the Captcha but this is the one you must send for it to work as far as I can tell

[bandhavi-private]

Hello, I am trying from Postman and have a similar issue with Step 2 from: https://tesla-api.timdorr.com/api-basics/authentication

I pass all 5 input form hidden parameters as separate key-value pairs, along with the correct identity and credential as post body (form-urlencoded). I am also passing Cookie as header with the value of tesla-auth.sid, but I keep getting 200 OK with no location in response header and same response as Step 1 in the documentation.

Any idea what might be going wrong here?

[iqtedar123]

Did you ever solve it?