To be clear, this is only for ‘auto install’ apps…not for apps that the user downloads code and enable OAuth on their own?
You got it @MichaelS
As long as the customer can see the code they are allowed to use it.
For example, SmartTiles would be an 3rd party application using OAuth that needs ST approval? Will there be a published list of those approved 3rd party OAuth and will the application break and that will be our notice?
I hope Harmony integration doesn’t break
While I do not disagree with the value of this change for various good reasons, I think it is important to note that the incremental difference in “security” related to this change should not be over emphasized.
There is already a discussion on the details of this (please hop over to that discussion linked below to catch up on all the details, rather than taking this Announcement on a tangent, thanks!).
SmartTiles is indeed a SmartApp using this “shared” OAuth installation method. It is not an extremely common method so the chances that you are using many other affected SmartApps isn’t too high.
However, SmartThings doesn’t really have a way “at their fingertips” to find all such SmartApps at this time (to my knowledge), and so it is up to the Developers of the SmartApps to submit them for Marketplace listing and inform their users of any updated versions or installation procedures.
We do we reached out to all affected developers.
It’s up to the app developer to inform their user community, same as any other development platform. We reached out to every app developer who used this method and gave them a personal warning. Outside of sharptools, smartrules, and SmartTiles, this affected about 500 or so users.
SmartRules and SharpTools have been through this process already and their userbase is migrated. SmartTiles is next
Hey @slagle , the Simple Rule Builder SmartApp was submitted for review a few months ago. Any chance you can help make sure it gets reviewed before the deadline?
Does this mean that SmartTiles won’t work now??
It will continue to work if you already have it installed. We are working with them to get it ready for the cut off as well.
UPDATE: This change has been put on hold until we can get all the OAuth apps reviewed and published. Will update with a new date once we have these apps published.
Does this have anything to do with the “object object” bug which appeared in the last week and prevents the addition of any new devices for either echo or harmony? And if so, does putting the change on hold mean the bug will go away?
No. The changes were put on hold so we can get the endpoints published.
So Tim, is the process for reviewing new submitted apps streamlined?
If there some way to have custom DH’s also included as part of this process?
Custom DH’s are a whole different beast. There is a lot we need to understand and figure out from a UX perspective. But it is something we are talking about, but right now, it is not a super high priority.
We are also working on streamlining the SA submission process even further as well.
Has anyone put together a list of the major 3rd Party smartapps that are not going to work as we’ve just started to see some issues where apps have stopped working. But at the moment it’s not clear whether this is the cause.
Me personally I am unable to use sharptools and cannot authorize anything. SmartTiles and echo work fine.
It was unrelated. See my response in the thread you posted.
Hi Tim @slagle,
I’m part of a team that is currently developing a platform that monitors (among other things) SmartThings devices in a user’s home looking for specific events that could be used to trigger further actions that our platform can then take on the user’s behalf.
Since the change in the OAuth behaviors noted here, we have been unable to fully test our platform against the SmartThings environment. We submitted our Smart App for review/publication 7 days ago (Monday 2 May) and have seen no status updates on our submission since then.
Can you provide an ETA of when we can expect an update on our request? Our development efforts are being impacted by this, and not having an ETA complicates our testing and development planning efforts.
I’d be happy to speak with you further, if you can provide a private channel for us to discuss specifics.
Send me an email.