Critical fix: mTLS uses completely different API endpoint than OAuth2.
KEY CHANGE:
OAuth2 and mTLS now use different base URLs automatically based on auth method.
CONFIGURATION:
- OAuth2: https://ppr.dam.ferrero.com/otmmapi
- mTLS: https://dev-auth.app-api.ferrero.com/00003/mm
URLs are automatically selected based on --auth-pfx flag:
- No flag: Uses DAM_BASE_URL (OAuth2 endpoint)
- --auth-pfx: Uses DAM_MTLS_BASE_URL (mTLS endpoint)
IMPLEMENTATION:
1. .env: Added DAM_MTLS_BASE_URL variable
2. config.yaml: Added mtls_base_url configuration
3. dam_client.py: Auto-selects base_url in __init__ based on use_mtls flag
4. All API calls automatically use correct endpoint
EXAMPLE ENDPOINT TRANSFORMATION:
OAuth2: https://ppr.dam.ferrero.com/otmmapi/v6/search/text
mTLS: https://dev-auth.app-api.ferrero.com/00003/mm/v6/search/text
(Same path, different host/prefix)
TESTING STATUS:
✓ Certificate loads successfully
✓ Correct base URL selected based on mode
⚠️ HTTP 403 from current IP (likely IP whitelist)
✓ Ready to test from whitelisted IP location
ALL SCRIPTS UPDATED:
✓ a1_to_a2_download.py - Uses correct URL with --auth-pfx
✓ a5_to_a6_download.py - Uses correct URL with --auth-pfx
✓ b1_to_b2_download.py - Uses correct URL with --auth-pfx
✓ test_connection.py - Uses correct URL with --auth-pfx
NEW DEBUG SCRIPT:
- test_mtls_debug.py - Detailed request/response logging
BACKWARD COMPATIBILITY:
✓ OAuth2 completely unchanged (default)
✓ No impact on existing workflows
✓ Can test mTLS from whitelisted IP when ready
Next: Test from whitelisted IP location to verify mTLS works end-to-end.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
