Smartthings Api WEBHOOK_SMART_APP authorize

Developer Programs Writing SmartApps
1

I am writing (in python) a custom integration of SmartThings for HomeAssitant.

I need to receive events from SmartThings for this I want to use “WEBHOOK_SMART_APP” as appType.

My app is created and confirmed (I tried both via PING and via CONFIGURATION flow) but when I create the authorization url and authorize the location I am redirected to the “redirect_uri” url without authorization code “code” but with errors in query string “error=invalid_request&error_description=The request is malformed.”.

APP ID: 3dadda29-5bc2-4858-ac00-4715617460cc

2

Installing a WEBHOOK_SMART_APP doesn’t involve an authorization code. You create/register, verify and publish the app via the Developer Workspace and install instances of the app via the mobile apps. Renewable access and refresh tokens are delivered via the INSTALL and UPGRADE lifecycles, and five minute access tokens via the EVENT lifecycle. There are ways of bypassing the Developer Workspace and apps but they aren’t publicly documented.

The authorization code is involved in the OAuth-In app flow (with the API_ONLY app type).

3

How can i get this workaround?

API_ONLY is not a solution, i need to get updates from devices when exist.

4

The OAuth-In (API_ONLY) apps have a Webhook just like the WEBHOOK_SMART_APP. Instead of ‘lifecycle’ messages they receive ‘messageType’ messages, in particular the CONFIRMATION message for verification and the EVENT for status messages from SmartThings. The structure is identical where relevant.

You subscribe to the events in the same way you would with the Webhook SmartApps, you just don’t have the CONFIGURATION stuff to contend with.

5

Hi @andreadegiovine

Adding to what @orangebucket mentioned, SmartApps are not the same as OAuth (API) Access Apps, they cannot be created through the Developer Workspace.
These are the instructions to create an API Access app:

  1. The option to create OAuth integrations cannot be found in the Developer Workspace.
  2. You need to use the SmartThings CLI to create this type of app
  1. You can also use the JSON in this sample as the input for the command.
    GitHub - SmartThingsCommunity/api-app-subscription-example-js: Example API Access SmartApp that shows the state and allows control of devices
  2. Then, you need to start the OAuth 2.0 process which consists on:
  1. The Access Token you get expires in 24 hours.
  2. The Refresh Token expires in 29 days if not used. We suggest you refresh the token before this time, otherwise, you’ll lose the Refresh token and the User will need to re-authorize.

NOTE: Remember the OAuth integration has a limit of 500 installations by default. Each time a user authorizes access to one of his/her locations, it will count as 1 installation. This means, if a user has 3 locations and authorizes access to each of them, he/she will use 3 installations.

  1. To refresh the Access Token, you need to use the same endpoint but the grant_type is different, here’s an example about this:

  2. curl -X POST “https://api.smartthings.com/oauth/token” -u “${clientId_from_app}”:“${clientSecret_from_app}” -H “Content-Type: application/x-www-form-urlencoded” -d “grant_type=refresh_token&client_id=${clientId_from_app}&refresh_token=${latest_refresh_token}”

SmartApps don’t have the field of “redirect_uri”, only “target_url” so, maybe the redirect URI is set by default to the URL we saw to continue with the normal SmartApp lifecycle events and the engineering team saw that in the logs.

6

The goal is that every installation of HomeAssistant integration will create a SmartApp using http request (no command line) using personal access token and oauth flow.

On the documentation i cant find a section to subscribe for devices update using API_ONLY, but only for installed apps

7

The documentation is indeed rather incomplete.

The subscription method is the same. You receive the installedAppId along with your access and refresh tokens.

The device events will be POSTed to your app’s target URL in a similar fashion to the documented EVENT lifecycle for Webhook and Lambda apps. You will see that they will have a messageType rather than a lifecycle and they don’t include a temporary access token.

8

On the APY_ONLY app creation request i dont send any target_url (as for WEBHOOK), than how the server say where send events?

Im confused, please add some example (request, response, flow)

9

I would recommend installing the CLI, setting it to debug mode, and then creating the app as Itati described above. It will show you the API calls it is making.

However I believe the following, which Itati also pointed you towards, illustrates the JSON to create an app with the target URL:

10

I’m curious about this, are you trying to achieve something with Home Assistant? Because there’s already an official integration about this that the HA and ST teams worked on and was announced here: New Integration Between Home Assistant and SmartThings

This is to avoid duplicated efforts, but as mentioned above, if your flow of the API_ONLY app is successful, then, you’ll get an installedAppId in the same access token object, for example:

{
   "access_token":"41fb5735-d9af-4041-...",
   "token_type":"bearer",
   "refresh_token":"f804c515-2afa-4a49-...",
   "expires_in":85744,
   "scope":"r:locations:* x:devices:* r:devices:*",
   "access_tier":0,
   "installed_app_id":"cac8fb70-4e2c-4630-..."
}

If you haven’t registered a targetURL, you should edit the app to do so.
Remember this will also trigger a CONFIRMATION request (similar to a SmartApp) which means you need to verify the app to start receiving the events. This means you don’t need the an API_ONLY app to create another SmartApp for the subscriptions.

1 Like