I’m working on an Automation project using a webhook and have confirmed that my webhook URL is correctly set up. However, I’m encountering an issue during the login process where I receive the error: “redirect_uri could not be validated.”
The Redirect URI parameter passed there must match the one registered in the OAuth-In app, if not, you’ll get the error you mentioned of: “redirect_uri could not be validated.”
I apologize for the earlier confusion. To clarify, this is my first experience with the SmartThings API. I need to develop a service that will allow users to authenticate their SmartThings accounts through my API, allowing them to interact with locations, devices, and other SmartThings features in my app. Unfortunately, I have been unable to find a comprehensive guide that explains how to set up the SmartThings project from the start and establish the necessary authorization in my app. Could you please provide a detailed explanation of the steps I need to take, starting from the creation of a project in the SmartThings Workspace, including the necessary configurations?
The OAuth-In App cannot be created through the Developer Workspace, that’s why there’s a short guide in that repository to do so.
Here’s more information about this, please let me know if you have questions:
You need to use the SmartThings API to create this type of app, this sample is using the ST CLI
Then, you need to start the OAuth 2.0 process which consists on:
The Access Token you get expires in 24 hours.
The Refresh Token expires in 29 days if not used. We suggest you refresh the token before this time, otherwise, you’ll lose the Refresh token and the User will need to re-authorize.
NOTE: Remember the OAuth integration has alimit of 500 installations by default. Each time a user authorizes access to one of his/her locations, it will count as 1 installation. This means, if a user has 3 locations and authorizes access to each of them, he/she will use 3 installations.
To refresh the Access Token, you need to use the same endpoint but the grant_type is different, here’s an example about this:
Thank you for the detailed response. I would also like to inquire if there is a way to obtain the PAT (Personal Access Token) of an authorized user to avoid requiring re-authorization for accessing locations or if there is an alternative approach for handling this.
No, a user would have to provide their PAT to you directly and you would have to handle it carefully. However, remember that PATs cannot be used to create subscriptions which help you get events to know if the status of a device changed. There are different subscription types, see here.
Users don’t have to go through the authorization process again if you save and refresh their tokens properly (I mean before the expiration date).
Each time you refresh a token, you’ll get two new values: Access Token (the one you use to authorize the requests and Refresh token.
I need to enable users in my application, after authorization, to perform actions such as retrieving all locations, creating new locations, and similar operations. However, I can’t use the access_token associated with an individual location for this, although I have put ‘r:locations:* w:locations:* x:locations:*’ in the scope . Is there a solution or approach that allows for this functionality?
Currently, an authorization per Location is required, you cannot use an access token to see all locations of the user. If you would like to explain your case to the SmartThings Partners team to see if they can offer a different solution, you can contact them at partners@smartthings.com