SmartThings Community

SmartThings OAuth Changes

slagle (Tim Slagle) 2016-01-08 20:12:42 UTC #1

Hello fellow devs! We are announcing an important change that will impact some application development on the SmartThings platform.

Starting February 1st, SmartApps that are not approved and published through official the SmartThings submission process will no longer be able to install OAuth endpoints into others accounts. OAuth endpoints in your own account will continue working. This change is required to protect the privacy and security of customers of 3rd party apps as well as SmartThings customers. In addition, this change provides the ability for published SmartApps to function in global markets as SmartThings expands. Therefore we are asking that all such SmartApps be submitted for review and publication.

If you haven’t seen them already, you will find changes to the Web Services SmartApp section as well as Service Managers in the newly published changes to the developer docs. These changes to the SmartThings OAuth flow to allow for global availability are presented alongside best practices to follow when you are using OAuth within the SmartThings ecosystem.

If you already have a popular smartapp that is installed using the OAuth method, we will fast-track review of these submissions in order to get them in prior to the deadline but in order to process your submission and publish the applications we are requesting that submissions be made by January 20th. We’re here to help you if you have any questions so please don’t hesitate to ask @jodyalbritton and I any questions regarding these changes.

UPDATE: This change has been put on hold until we can get all the OAuth apps reviewed and published. Will update with a new date once we have these apps published.

UPDATE: These OAuth changes will be in affect starting April 1, 2016.

UPDATE: These changes are now live.

Remote OAuth2 Token request failed with 401

Unable to authorize devices in my smart app

OAuth Changes announced in January are now complete

SmartThings Platform Security - Response from Alex

Why do we get new random problems with SmartThings?

[Obsolete Info] SmartTiles v5.x Alert: Installation Deadline

SmartTiles (& "other" External Services) Security

Using Default "apps" is there no way to set individual bulbs to unique settings in one rule?

[Release] Updated Open Source Ecobee Device Type and SmartApps

[Obsolete Info] SmartTiles Installer: Fixed for now;

Was the Smart Things security flaw for smartlocks fixed?

MichaelS (Micheal ) 2016-01-09 00:58:16 UTC #2

To be clear, this is only for 'auto install' apps...not for apps that the user downloads code and enable OAuth on their own?

slagle (Tim Slagle) 2016-01-09 03:49:00 UTC #3

You got it @MichaelS

As long as the customer can see the code they are allowed to use it.

kurtsanders (Kurt Sanders) 2016-01-09 12:43:30 UTC #4

For example, SmartTiles would be an 3rd party application using OAuth that needs ST approval? Will there be a published list of those approved 3rd party OAuth and will the application break and that will be our notice?

Mbhforum (Mbhforum) 2016-01-09 12:50:51 UTC #5

I hope Harmony integration doesn't break

tgauchat (ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy; NOT a SmartThings Employee.) 2016-01-09 18:48:54 UTC #6

While I do not disagree with the value of this change for various good reasons, I think it is important to note that the incremental difference in "security" related to this change should not be over emphasized.

There is already a discussion on the details of this (please hop over to that discussion linked below to catch up on all the details, rather than taking this Announcement on a tangent, thanks!).

tgauchat (ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy; NOT a SmartThings Employee.) 2016-01-09 18:54:22 UTC #7

SmartTiles is indeed a SmartApp using this "shared" OAuth installation method. It is not an extremely common method so the chances that you are using many other affected SmartApps isn't too high.

However, SmartThings doesn't really have a way "at their fingertips" to find all such SmartApps at this time (to my knowledge), and so it is up to the Developers of the SmartApps to submit them for Marketplace listing and inform their users of any updated versions or installation procedures.

slagle (Tim Slagle) 2016-01-09 19:11:44 UTC #8

We do we reached out to all affected developers.

It's up to the app developer to inform their user community, same as any other development platform. We reached out to every app developer who used this method and gave them a personal warning. Outside of sharptools, smartrules, and SmartTiles, this affected about 500 or so users.

SmartRules and SharpTools have been through this process already and their userbase is migrated. SmartTiles is next

JoeC (Joe) 2016-01-14 03:56:10 UTC #9

Hey @slagle , the Simple Rule Builder SmartApp was submitted for review a few months ago. Any chance you can help make sure it gets reviewed before the deadline?

thrash99er (Morgan) 2016-01-21 00:22:28 UTC #10

Does this mean that SmartTiles won't work now??

slagle (Tim Slagle) 2016-01-21 00:23:28 UTC #11

It will continue to work if you already have it installed. We are working with them to get it ready for the cut off as well.

slagle (Tim Slagle) 2016-02-01 18:06:49 UTC #12

UPDATE: This change has been put on hold until we can get all the OAuth apps reviewed and published. Will update with a new date once we have these apps published.

JDRoberts 2016-02-01 18:08:14 UTC #13

Does this have anything to do with the "object object" bug which appeared in the last week and prevents the addition of any new devices for either echo or harmony? And if so, does putting the change on hold mean the bug will go away?

http://thingsthataresmart.wiki/index.php?title=Bug:_object,_object_instead_of_device_name

slagle (Tim Slagle) 2016-02-01 18:09:06 UTC #14

No. The changes were put on hold so we can get the endpoints published.

RBoy (www.rboyapps.com - Make your Home your Butler!) 2016-04-29 19:39:53 UTC #15

So Tim, is the process for reviewing new submitted apps streamlined?
If there some way to have custom DH's also included as part of this process?

slagle (Tim Slagle) 2016-04-29 20:06:34 UTC #16

Custom DH's are a whole different beast. There is a lot we need to understand and figure out from a UX perspective. But it is something we are talking about, but right now, it is not a super high priority.

We are also working on streamlining the SA submission process even further as well.

Silverpawn (Brian) 2016-05-03 13:15:45 UTC #17

Has anyone put together a list of the major 3rd Party smartapps that are not going to work as we've just started to see some issues where apps have stopped working. But at the moment it's not clear whether this is the cause.

CrystalStylez (Byron Davis) 2016-05-03 15:42:35 UTC #18

Me personally I am unable to use sharptools and cannot authorize anything. SmartTiles and echo work fine.

slagle (Tim Slagle) 2016-05-03 16:19:49 UTC #19

It was unrelated. See my response in the thread you posted.

connectedhometeam (cchs) 2016-05-16 20:02:34 UTC #20

Hi Tim @slagle,

I'm part of a team that is currently developing a platform that monitors (among other things) SmartThings devices in a user's home looking for specific events that could be used to trigger further actions that our platform can then take on the user's behalf.

Since the change in the OAuth behaviors noted here, we have been unable to fully test our platform against the SmartThings environment. We submitted our Smart App for review/publication 7 days ago (Monday 2 May) and have seen no status updates on our submission since then.

Can you provide an ETA of when we can expect an update on our request? Our development efforts are being impacted by this, and not having an ETA complicates our testing and development planning efforts.

I'd be happy to speak with you further, if you can provide a private channel for us to discuss specifics.

Thank you!