OAuth suddenly broken out of nowhere

My python app that was using the oauth flow for auth suddenly stopped working. I know it was working perfectly around 2 months ago. I changed nothing in the code. When i access the generated auth url in the browser i simply get 403 forbidden.

This is an example url: https://api.smartthings.com/oauth/authorize?response_type=code&client_id=<client_id>&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fcallback&scope=r%3Adevices%3A%2A+x%3Adevices%3A%2A&state=<state>

I even regenerated the client id and secret in the cli to no avail:

❯ smartthings.exe apps:oauth:generate <appid>

 Client Name          pyscript
 Scope                r:devices:$,x:devices:*,w:devices:$,r:devices:*,w:devices:*,x:devices:$
 Redirect Uris        https://api.smartthings.com/installedapp,http://localhost:8000/callback
 OAuth Client Id      <same_client_id>
 OAuth Client Secret  <client_secret>

It doesn’t help that there is zero explanation as to what is even failing. I also cannot find anything in the docs about recent api changes. considering that this comes right after the removal of PAT’s I am very pissed off.

There seems to be a spurious https://api.smartthings.com/installedapp URL that has found its way into the list of redirect URLs. That always seems to be associated with problems.

I seem to remember it gets created by one of the CLI OAuth operations.

Update (posted after Nayely’s response): Looking back at some email correspondence with @nayelyz from the end of January this year, I see it was actually the smartthings apps:oauth:generate that you were using to attempt a fix for your problems that created that extra URL for me. I had rather assumed the redirect URLs in the app were supposed to be a whitelist but that one seems to take over when it is there.

Hi, @Nikolas
If you didn’t add this redirect URL by accident and some service did, please let me know to open a report.
It would be helpful to know if you updated your app’s OAuth config and the issue started to happen.

@orangebucket @nayelyz
I can confirm that the unknown url was added by the apps:oauth:generate command. However I only ran this command after the problem already started in hopes of fixing it. I also just created a fresh new app using the cli, which does not have the url, but the problem persists even with this new app.

❯ smartthings apps:oauth 1
────────────────────────────────────────────
 Client Name    monitorswitcher
 Scope          r:devices:$,r:devices:*,x:devices:$,x:devices:*
 Redirect Uris  http://localhost:8000/callback
────────────────────────────────────────────

Hi, @Nikolas

I had a suspicion but I confirmed that the issue is that you’re using an HTTP URL to localhost.

I did a test, and if I used the localhost URL, I got the same 403 error, I only modified the URL to use an HTTPS one, it worked again.
So, I suggest you use a tool like ngrok to create an HTTPS tunnel for your tests.