I am trying to use the super secret API methods of calling createAccessToken/revokeAccessToken in combination with /api/token endpoints as used in the Quirky App, however I am having some issues attempting to revoke the created token afterwards.
I am attempting to use the /api/token endpoint in an OAuth callback to avoid having the user log into both an external service and the SmartThings service which they are already authenticated to. This works (is there documentation for /api/token anywhere?), however as the token has been transmitted through the clear in the url I need to revoke it to ensure the security of the SmartThings account. There is a method called revokeAccessToken() however this does not seem to actually revoke the token created with createAccessToken().
Does anybody have a solution for revoking tokens?
Thanks!
-Erik
Here are some other possibly related threads in which I could not find an answer:
RBoy
(www.rboyapps.com - Making SmartThings Easy!)
4
Here’s an idea I’m using, if you want to revoke the token, just create a new token and don’t publish it to the user. If they try to use the old token it won’t work anymore.
Prior to about October of last year, calling createAccessToken() would invalidate the previous one. Then something happened at the back end and it became impossible to invalidate old tokens. ST developers were not aware of any such changes. I know, because I tried several ridiculous workarounds to remedy this change in behavior.
There was this recent conversation on the topic:
I’m going to try this again. If it works the same way as it did last year, that will be pleasant surprise.
@Jim, if you could chime on this, that would be great.
1 Like
RBoy
(www.rboyapps.com - Making SmartThings Easy!)
8