Smart app with OAuth and client id/secret, does it change?

oauth

(Binary Banana) #1

Hi,
I am building mobile app that integrates with SmartThings and as I need a list of users’ devices, I am using OAuth to get the access. From what I understand, publishing the app is not possible (http://docs.smartthings.com/en/latest/publishing/) so user will need to copy the code from github to create my app. It’s acceptable but I am wondering about client id and client secret. Will it change or it will always be the same? Is there a way to have the same value for the app, even if user is copy/pasting the app code from github?

Thanks,
Jacek


(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy) #2

To the best of my knowledge, you can only get a universal client-id and client-secret if the App is officially Published by SmartThings. The publication mechanism inherently has the tools to set those to a fixed value so that all OAuth requests hit the same SmartApp master.

When a regular customer loads a SmartApp into their own workspace (even using GitHub) and enable OAuth, a unique ID and Secret are generated. Access to that copy in order to create instances over OAuth is limited to the customer’s own Account (and any Locations in that Account) via their email and password.

A long time ago (2 or 3 years ago…), it was possible to share unpublished code via the ID and Secret; but this was considered, by SmartThings, to be a security risk, as it gave customers the impression that the code had been officially reviewed, published, and locked down from arbitrary changes. Such developers could have introduced vulnerabilities or exploits into the shared SmartApp without requiring a review by SmartThings. I think this fear was overblown - but, the risk certain existed.


The current SmartApp development, review, and publication process is being deprecated due to the new API which, we have been told, will have a streamlined publication procedure. It may take a while to get here, but once in place, I’m sure the situation will be much better. There’s nothing to do in the meantime but … wait.


(Binary Banana) #3

Thank you for all the details. It’s sad that there is no publishing process for marketplace apps. It will be definitely harder to convince users to publish the app manually and then type client/secret id. The rate of people giving up on the app will be huge.

In that case I will probably market the app with the integration with Sonos devices and SmartThnigs will be just a secondary/bonus option.

Thanks again!