Error: "redirect_uri could not be validated" During Login for Automation Project with Webhook

Hi SmartThings Community,

I’m working on an Automation project using a webhook and have confirmed that my webhook URL is correctly set up. However, I’m encountering an issue during the login process where I receive the error: “redirect_uri could not be validated.”

Here’s what I’m doing:

  • I’m using the example from this GitHub repository: SmartThings API App Subscription Example.
  • Instead of creating the app using the CLI and app.json, I manually inserted my own appId, clientId and clientSecret into .env.
  • The webhook URL was confirmed as valid, but when I attempt to log in, the process fails with the redirect_uri validation error.

Has anyone faced a similar issue?

Any help or suggestions would be greatly appreciated!

Thanks in advance!

Hi, @Ilya_Bespaliy. Welcome to the SmartThings Community!

What do you mean by “I manually inserted my own …”? You need to register the OAuth-In app in the ST platform using the correct URLs:

  1. The redirectURI is where you’ll receive the Authorization code to request an Access Token.
  2. The Target URL is the endpoint where you want to receive the subscription events

So, when you call the /authorize endpoint as shown here: api-app-subscription-example-js/server.js at master · SmartThingsCommunity/api-app-subscription-example-js · GitHub

The Redirect URI parameter passed there must match the one registered in the OAuth-In app, if not, you’ll get the error you mentioned of: “redirect_uri could not be validated.”

I apologize for the earlier confusion. To clarify, this is my first experience with the SmartThings API. I need to develop a service that will allow users to authenticate their SmartThings accounts through my API, allowing them to interact with locations, devices, and other SmartThings features in my app. Unfortunately, I have been unable to find a comprehensive guide that explains how to set up the SmartThings project from the start and establish the necessary authorization in my app. Could you please provide a detailed explanation of the steps I need to take, starting from the creation of a project in the SmartThings Workspace, including the necessary configurations?

The OAuth-In App cannot be created through the Developer Workspace, that’s why there’s a short guide in that repository to do so.
Here’s more information about this, please let me know if you have questions:

  1. You need to use the SmartThings API to create this type of app, this sample is using the ST CLI
  1. You can also use the JSON in the sample as the input for the command.
    GitHub - SmartThingsCommunity/api-app-subscription-example-js: Example API Access SmartApp that shows the state and allows control of devices
  2. Then, you need to start the OAuth 2.0 process which consists on:
  1. The Access Token you get expires in 24 hours.
  2. The Refresh Token expires in 29 days if not used. We suggest you refresh the token before this time, otherwise, you’ll lose the Refresh token and the User will need to re-authorize.

NOTE: Remember the OAuth integration has a limit of 500 installations by default. Each time a user authorizes access to one of his/her locations, it will count as 1 installation. This means, if a user has 3 locations and authorizes access to each of them, he/she will use 3 installations.

  1. To refresh the Access Token, you need to use the same endpoint but the grant_type is different, here’s an example about this:
  2. curl -X POST “https://api.smartthings.com/oauth/token” -u “${clientId_from_app}”:“${clientSecret_from_app}” -H “Content-Type: application/x-www-form-urlencoded” -d “grant_type=refresh_token&client_id=${clientId_from_app}&refresh_token=${latest_refresh_token}”

Thank you for the detailed response. I would also like to inquire if there is a way to obtain the PAT (Personal Access Token) of an authorized user to avoid requiring re-authorization for accessing locations or if there is an alternative approach for handling this.

No, a user would have to provide their PAT to you directly and you would have to handle it carefully.
However, remember that PATs cannot be used to create subscriptions which help you get events to know if the status of a device changed. There are different subscription types, see here.
Users don’t have to go through the authorization process again if you save and refresh their tokens properly (I mean before the expiration date).
Each time you refresh a token, you’ll get two new values: Access Token (the one you use to authorize the requests and Refresh token.

Is this what you meant?

I need to enable users in my application, after authorization, to perform actions such as retrieving all locations, creating new locations, and similar operations. However, I can’t use the access_token associated with an individual location for this, although I have put ‘r:locations:* w:locations:* x:locations:*’ in the scope . Is there a solution or approach that allows for this functionality?

1 Like

Currently, an authorization per Location is required, you cannot use an access token to see all locations of the user. If you would like to explain your case to the SmartThings Partners team to see if they can offer a different solution, you can contact them at partners@smartthings.com