Issue of decoding URL of authorization code in account linking flow

Hi @nayelyz

On Apr. 23 our customer received a warning mail about account linking errors.

1745390568079copy800×405 82.1 KB

We are using Cloud Connected devices. We are using standard OAuth2 account linking flow.

Step 1. Log in
Step 2. Our server returns authorization_code (not decoded URI) to SmartThings
Step 3. SmartThings carries authorization_code( decoded URI) to our server to exchange access_token.

The way SmartThings decode URI is different as Alexa/GoogleHome
Alexa/GoogleHome: DecodeURI step 2 authorization_code （%2B → “+”）will be the same as step 3 authorization_code（%2B → “+”）
Smartthings: DecodeURI step 2 authorization_code（%2B → “+”）is different as step 3 authorization_code（%2B → " " space）
The standard Decoding URI %2B should be “+”, instead of “space”

Ex:
Step2 authorization_code we returns to SmartThings

“c6%2F%2FRFPTsCTrmZw1FMoOA6TRUyG3w7KfLY3QoOWRLGKQaCGiOZXzlm%2BnE51LsewmHh0sVVaMDnoqDLbA9wtKdUOuhthcNaDxUgpMBL58g4Of2AVzq8GXEkcDfYUqltRS68VkFMWi7CJwgKMk%2B9aPq9MDk1wA3IOes94SHYNCOolYPCMT%2B8wrzfwkCb%2FmNfcSzZbtshIMoctaBbO%2Bsbi%2FBBG9Z5IKovpgdWgSbKKwXMnfq1k%2B8EqU%2F8oY%2B5AkssxeigWwEYEHJFt0C2lfUcqKqQ0DwflI%2FZM%2B0mLSBbrjyRGT3Sa5vvSl9TrmsFoLtHpaHIIoA3XFd7rY%2FcaiBggq6MoMM9QXJnoWO6uDikIOm1bCHh3R39XlZ26xrUmOBrQ0HdL7jVhvIoOjG8etN4gAEJLOiEcXbdkNRe3XX8GzY92gJo6TicQihvcGkL%2FoEgugfooRtOXAmvro91jO%2FVCtaYcL8dtoflofhvDNlH%2FzYnIaQxf9zji2ABNmhghVFYhGSYhjekzU4yLby%2F40ZWBvFsASjcCoy3KH9l79Qqcgh5xuzI3yg%2Bfl55c3uU%2BmRSlxza5gZtlT0KBKDHBFnsYZw%2BknDz9nVsBQ2moy3feuzVNBf%2BPB%2BKtx0H9hW26Fdl%2Fvek36vZIur8YqFjGLy6zJXpbXFXG0npbMBueqx9Iwz7M%3D”

Step3 authorization_code SmartThings carried to our server

“c6//RFPTsCTrmZw1FMoOA6TRUyG3w7KfLY3QoOWRLGKQaCGiOZXzlm nE51LsewmHh0sVVaMDnoqDLbA9wtKdUOuhthcNaDxUgpMBL58g4Of2AVzq8GXEkcDfYUqltRS68VkFMWi7CJwgKMk 9aPq9MDk1wA3IOes94SHYNCOolYPCMT 8wrzfwkCb/mNfcSzZbtshIMoctaBbO sbi/BBG9Z5IKovpgdWgSbKKwXMnfq1k 8EqU/8oY 5AkssxeigWwEYEHJFt0C2lfUcqKqQ0DwflI/ZM 0mLSBbrjyRGT3Sa5vvSl9TrmsFoLtHpaHIIoA3XFd7rY/caiBggq6MoMM9QXJnoWO6uDikIOm1bCHh3R39XlZ26xrUmOBrQ0HdL7jVhvIoOjG8etN4gAEJLOiEcXbdkNRe3XX8GzY92gJo6TicQihvcGkL/oEgugfooRtOXAmvro91jO/VCtaYcL8dtoflofhvDNlH/zYnIaQxf9zji2ABNmhghVFYhGSYhjekzU4yLby/40ZWBvFsASjcCoy3KH9l79Qqcgh5xuzI3yg fl55c3uU mRSlxza5gZtlT0KBKDHBFnsYZw knDz9nVsBQ2moy3feuzVNBf PB Ktx0H9hW26Fdl/vek36vZIur8YqFjGLy6zJXpbXFXG0npbMBueqx9Iwz7M=”

decodeURI Tool

Why SmartThings decode URI is different and only has happened since 4/23? Is that a bug in SmartThings?

Hi, @exosite

Sorry for the delay, I’m checking some details with the engineering team. Once I get their feedback, I’ll let you know if we need more info or if there are some action items.

Hi, @exosite
The engineering team saw that the errors you mentioned stopped on March 24th. Did you solve it?

They also mentioned that they haven’t changed the code of the URL encoding, so it is unlikely that this is the root cause of the issue.

While asking you the issue, I have solved it by replacing the authorization code " "(space) to “+”.

In the beginning of this April I was modifying our SmartThings integration “only for supporting more device capabilities” and I was frequently logging in and disconnecting the account linking. During that time account linking was “normal”.

The above provided authorization_code example was just copied on Apr. 23rd.

I will check the authorization code again.