Hello,
I use AWS Cognito as Oauth2.0 provider to log in my user using the hosted UI.
Since I have new requirements for the login while adding my device into Smart Things app, user now require to insert both username and phone number and validate their identity through an OTP code received by sms,
I can’t use the hosted AWS cognito interface anymore.
I’m building my own front end and handling the log in with my backend and AWS cognito SDK.
The first problem is that i don’t know what to put on the developer workspace app credentials. I used to put the data from the cognito instance.
Now i instead have set the same client id and client secret but i changed the Authorization URI with my new login page URL.
Then i set as Token URI a new api endpoint i made on by backend that receives some parameters and sends back the tokens:
The problem is that, after i verify user identity and otp code , i then receive from cognito an object with the following attributes:
String accessToken;
Integer expiresIn;
String tokenType;
String refreshToken;
String idToken;
I really don’t know what to do. For the moment i generated a random ‘code’ ie: abcd-1234 and saved it togheter with the response data inside my batabase.
From the frontend i redirect the user to this url: “SmartThings” and receive an ok message that says that now i can close the window, but no device is added to my ST app.
Hi @nayelyz , the two posts I made are not completely related. This one is about the login the user has to do inside Smart Things App while adding the device , the previous topic is more about how to handle the acces token requests between my back end and Smart Things (to keep devices connected and able to refresh their state using a call back url).
To answer your question:
This is the custom login page i want the user to use, but i’m stuck on what to do when they press the “Verify OTP” green button (After i verify their identity and OTP code , what should I do to enable the device to be added on the Smart Things app?). Here a screen of the page :
I think I really need to understand how the comunication between Smart Things and the OAUTH 2.0 provider works.
And also how to populate the login and token URI in the developer workspace
You should include the authorization code there as a query parameter.
Then, SmartThings will try to exchange that code for an Access Token to your OAuth server.
You should check if you get a request to create an access token from SmartThings.
The problem i’m facing is the following one:
Amazon Cognito does provide me the authorization_code only while using their standard hosted UI.
Since i’m doing the authentication in my backend using aws java sdk , the result is that i directly get the access_token, refresh_token, token_id and expiration . So I actually don’t have an authorization_code to exchange with the redirect url: https://c2c-eu.smartthings.com/oauth/callback.
Is there any way I could directly use these tokens to enstablish a connection with smart things? And also I need a way to enable smart things to call the aws cognito /token endpoint for the future tokens updates.
Is that token different on each request? Because, I think it would be possible for you to:
Generate an authorization_code in your server that corresponds to that Access Token you received
Then, sent that code you generated to ST.
Once ST calls your endpoint that you registered as “Token URI”, you send the Access Token Cognito provided to you.
Would that make sense in your current integration? I’ll ask the engineering team if it’s possible to skip the authorization_code step
What do you mean? ST will call the URL of your Token URI to refresh the access token, but is that not part of the “AWS Cognito SDK” that you mentioned you were using?
Hello @nayelyz , i’m writing to let you know i solved the problems I had.
Token not working: I don’t know why but their length increased so I had to increase the size of the columns in my the db where I store theme
Custom Login Page: I made the entire Oauth2 flow on by backend side , so I’m not relying on any external service anymore, I managed to enstablish the comunication with Smart Things so by now everything seems to work well.
I’m working in a test environment, but actually I have a prod environment and a WWST certified product.
I Just have some question about some updates I want to make:
Is it possible to modify the Aauth section in samsung workspace for a certified device? (I have to modifiy my webhook endpoint , and the Oauth client informations: /login , /token, clientId and clientSecret
I would like to modify the structure of my device profile: number of components and their order (the capabilietes will be te same). Is it possible if the device has already been published and is certified as wwst?
This is possible, we need the help of the Schema team to update those directly in the backend, for that, we ask you to send an email to build@smartthings.com with the following information:
App ID - It’s the ID that you can see in the Developer Workspace
List the properties you want to change with the new value.
In the case of the client ID and secret, let me check how we can get this value securely
I need to confirm this with the certification team. Could you provide the ID of the certified profile and the ID of the profile you would like to use just so the team can compare the changes, please?
I’m not interested in modifing the App credentials : App ID, Client ID and Client Secret should keep their values.
For what concerns the profile , I haven’t made any change yet, I’m just wondering if I can modify my existing profile ( I’m not interested in making a new one and switch profiles, I would like to modify the already active device profile if possible)
Thank you again for your support, it is very helpful!
Yes, we understand that, we’re only confirming with the engineering team some details about this change.
Just a heads-up. Since this is a published integration, this change requires you to monitor the functionality after it’s applied to verify it didn’t cause issues to the current users. So, once we request the change, the engineering team will align with us to determine the time to apply the change when you’ll be able to monitor the behavior.
In the case of Schema, once the integration is published, so is the device profile for other users to use it when installing their devices. This means that the profile can no longer be modified, so, you would need to create a new one if you want to change anything in it. If you don’t want to create a profile yet, then, please share the current profile ID and a file showing how it would look with your modifications.
Following up, here’s the information we require to make the change in the OAuth credentials of your project:
App ID - It’s the ID that you can see in the Developer Workspace
In the case of the client ID and secret, due to them being sensitive values, please send them through Keybase to my user (I’ll share it with you over DM).
As I mentioned before, the engineering team will need your help to confirm these new URLs work correctly and that this server will support the existing refresh tokens you provided for the already-installed devices so when ST tries to refresh the access token to your OAuth server, the refresh token is still valid and the users don’t lose the access.
For the change in the profile, as I mentioned before, we need the IDs of both profiles, the published one and the new one.
Just as a reference, there’s no issue in changing the profile ID used in the schema, for the existing devices, the next time a discovery request happens (every 24 hours or forced through “linked services”, the device will start using the new one).
Thank you @nayelyz for the clear answer and the support.
We are still in the developing phase of the new log in page and device profile. When it will be production ready we will get in touch with build@smartthings.com and i will send our client ID and client secret to your user on Keybase . (Maybe i will also send you a reminder over DM ).
For what concern the existing refresh tokens, we have still very few users which are mainly testers so I think we will ask them to remove the integration on their ST app and add our device again.
I Hope this will be fine for you. Thanks again and we’ll hear soon.
