[Schema, OAuth] Some devices (presumably Android) are making authorize requests with a null scope when using an empty scope

Symptom

Some users have reported that the integration is not working.

Existing integrated users are fine.

A scope error that the server does not support is occurring.

Investigation

It is suspected that some implementation of SmartThings—server, app, or even Galaxy’s webview browser—has changed.

During the OAuth authorize process, it was found that if there is no scope, the &scope=null parameter is being sent.

Our implementation does not require the client to request a separate scope and sets the default scope during the authz process.

This issue has been confirmed on a Galaxy S8 Ultra running Android 14, and does not occur on an iPhone X.

Authz request from iPhone(SmartThings 1.7.14.22):

 /oauth/authorize
   ?client_id=<client-id>
   &redirect_uri=https://c2c-ap.smartthings.com/oauth/callback
   &response_type=code
   &state=<state>

Authz request from S8 Ultra(SmartThings 1.8.17.22):

 /oauth/authorize
   ?client_id=<client-id>
   &redirect_uri=https://c2c-ap.smartthings.com/oauth/callback
   &response_type=code
   &state=<state>
+  &scope=null

Clearly, the null scope does not mean that no scope is being requested.

According to the OAuth spec, the client (SmartThings) can omit the scope.

If the client omits the scope parameter when requesting authorization, the
authorization server MUST either process the request using a pre-defined
default value or fail the request indicating an invalid scope.

If the client explicitly requests the scope, there is no problem.
However, ST doesn’t allow modify the scope of the published integration now.

Since there is nothing else I can do at the moment, I tried to add a null scope.
But in the token exchange response (redirect), a window shows only plain text {}.

If unresolved, I plan to modify the library to recognize null as an empty scope.

I hope ST either omits the parameter when the scope is empty or allows changing the scope of the published project.


Could be related with this?

Hi, @Shina_System_Co_Ltd
Did the users that reported this issue mention if they’re seeing the error “viperError”:“missing_required_query_parameters”?
That’s because there’s an already reported issue in the latest Android app version which is 1.8.17.22. If you can confirm it’s the same, I’ll add you to that report with your observations.

I saw that error few times during a test, but mainly below error appears.

Couldn't link account.
Error code: null