[SOLVED][Schema, OAuth] Some devices (presumably Android) are making authorize requests with a null scope when using an empty scope

Developer Programs Support
1

Solved

Resolved by explicitly changing the scope with contacting the ST support team.

Symptom

Some users have reported that the integration is not working.

Existing integrated users are fine.

A scope error that the server does not support is occurring.

Investigation

It is suspected that some implementation of SmartThings—server, app, or even Galaxy’s webview browser—has changed.

During the OAuth authorize process, it was found that if there is no scope, the &scope=null parameter is being sent.

Our implementation does not require the client to request a separate scope and sets the default scope during the authz process.

This issue has been confirmed on a Galaxy S8 Ultra running Android 14, and does not occur on an iPhone X.

Authz request from iPhone(SmartThings 1.7.14.22):

 /oauth/authorize
   ?client_id=<client-id>
   &redirect_uri=https://c2c-ap.smartthings.com/oauth/callback
   &response_type=code
   &state=<state>

Authz request from S8 Ultra(SmartThings 1.8.17.22):

 /oauth/authorize
   ?client_id=<client-id>
   &redirect_uri=https://c2c-ap.smartthings.com/oauth/callback
   &response_type=code
   &state=<state>
+  &scope=null

Clearly, the null scope does not mean that no scope is being requested.

According to the OAuth spec, the client (SmartThings) can omit the scope.

If the client omits the scope parameter when requesting authorization, the
authorization server MUST either process the request using a pre-defined
default value or fail the request indicating an invalid scope.

If the client explicitly requests the scope, there is no problem.
However, ST doesn’t allow modify the scope of the published integration now.

Since there is nothing else I can do at the moment, I tried to add a null scope.
But in the token exchange response (redirect), a window shows only plain text {}.

If unresolved, I plan to modify the library to recognize null as an empty scope.

I hope ST either omits the parameter when the scope is empty or allows changing the scope of the published project.

Could be related with this?

2

Hi, @Shina_System_Co_Ltd
Did the users that reported this issue mention if they’re seeing the error “viperError”:“missing_required_query_parameters”?
That’s because there’s an already reported issue in the latest Android app version which is 1.8.17.22. If you can confirm it’s the same, I’ll add you to that report with your observations.

3

I saw that error few times during a test, but mainly below error appears.

Couldn't link account.
Error code: null
4

@nayelyz I too am having this problem. It looks like &scope=null is being appended to the authorization URI when attempting to add a new device via the SmartThings app, and that null is being treated like a string “null”, which is messing with the server-side processing.

5

Hi, @smrtdrmmr
Do you have a published connector or you still can modify it?
In the case of the first post, we had to modify manually the connector to add scopes but we haven’t received confirmation that this solved the issue.
So, if you can add a scope, we think it should solve it (this is a temporary fix)
In the meantime, the engineering team is working on the permanent fix.

6

It’s not published, so I could either add a temporary scope, or in this case I just checked a “null” scope in the GET request and unset it from the request itself before continuing with the rest of the processing. Definitely caught me off guard when I couldn’t add my devices again all of a sudden…

7

Yes, also, it seems it only happens on the latest app version, so, you can also use a previous one and avoid the other changes.