OAuth createAccessToken /api/token revoking?


(Erik) #1

Hello,

I am trying to use the super secret API methods of calling createAccessToken/revokeAccessToken in combination with /api/token endpoints as used in the Quirky App, however I am having some issues attempting to revoke the created token afterwards.

I am attempting to use the /api/token endpoint in an OAuth callback to avoid having the user log into both an external service and the SmartThings service which they are already authenticated to. This works (is there documentation for /api/token anywhere?), however as the token has been transmitted through the clear in the url I need to revoke it to ensure the security of the SmartThings account. There is a method called revokeAccessToken() however this does not seem to actually revoke the token created with createAccessToken().

Does anybody have a solution for revoking tokens?

Thanks!
-Erik

Here are some other possibly related threads in which I could not find an answer:



(Justinlhudson) #2

The only way I know of to revoke the token is to uninstall the app and install again. Not the best solution, but does the trick.


(Alex) #3

If anyone ever finds out, please let me know.


(www.rboyapps.com - Make your home your butler!) #4

Here’s an idea I’m using, if you want to revoke the token, just create a new token and don’t publish it to the user. If they try to use the old token it won’t work anymore.


(Alex) #5

But the old token still works!


(www.rboyapps.com - Make your home your butler!) #6

Hmm not with me, once I create a new code the old one doesn’t work anymore. I just call:

createAccessToken()

and the old one no longer works.


(Alex) #7

How long ago did you try this?

Prior to about October of last year, calling createAccessToken() would invalidate the previous one. Then something happened at the back end and it became impossible to invalidate old tokens. ST developers were not aware of any such changes. I know, because I tried several ridiculous workarounds to remedy this change in behavior.

There was this recent conversation on the topic:

I’m going to try this again. If it works the same way as it did last year, that will be pleasant surprise.

@Jim, if you could chime on this, that would be great.


(www.rboyapps.com - Make your home your butler!) #8

I checked it about 2 weeks ago