Hi,
I’d like to update the device permissions for app e64c1dd0-41f4-4e74-92ea-cfa0b2344cf3
At the moment, it just has device:r, but I also need write and execute now.
I can’t see how this can be changed, so I’m wondering if this requires a support request?
Thanks!
It has been a while but if I remember correctly you use the CLI to export the OAuth settings as JSON or YAML, edit the JSON or YAML to update the whitelisted permissions, and then do an update.
smartthings apps:oauth {appId} -o oauth.yaml
(edit the file as required)
smartthings apps:oauth:update {appId} -i oauth.yaml
That’s fantastic, thanks!
I assume users have to unlink/relink for this to take affect?
Well the scopes in the ‘app’ are basically a whitelisting of values you can request, so it isn’t the whole story by a long chalk.
I am really very rusty with apps so I think I’ll ask @nayelyz to dig me out of a hole.
I do remember that for Webhook Smart Apps it is likely to be necessary to change the requested permissions in the CONFIGURATION lifecycle INITIALIZE phase (it isn’t always necessary to explicitly request permissions, some are implicit). Users would then have to update their installed apps via the SmartThings mobile app.
With OAuth apps I would imagine users have to start over with the authorise process again to take account of the new permissions they need.
Right, I think that makes sense.
So to confirm my understanding… if I want my oauth app to be able to operate in a read-only mode or a read/write mode (depending on user preference), then I should provide 2 ‘link up to smartthings’ links (or a way of selecting on MY side), and then send the user on the oauth journey. I just pass in the scope depending on what the user wants, and if they want to ‘upgrade’ to read/write, I just get them to disconnect/reconnect to SmartThings.
Thanks again for your help.
Hi, @IanPC
You don’t need to provide two links to the user; you can present a single one that asks for all the scopes that your integration can support.
Then, the user will select only those that he/she wants.
Once you get the Access Token, you’ll see the scopes that are authorized for such Token.
Just make sure that the user is aware of what they need to select for the functionality they want.
For example, the Capability subscriptions require having read access for all the devices, not only a few.
About the update, users should go through the authorization page again to accept these new scopes.
Thanks for the extra information.
I had to implement this with 2 links in the end - either I’ve misunderstood something, or it’s not possible otherwise.
I can understand that users can tick box against difference categories during the auth flow, however when it’s 2 different sets of permissions on the same class/category (in my case - Devices), then there’s no way of saying read-only when the scope has been defined as ‘:r: w: x’.
In a way, the 2 links options from ‘my side’ actually give a nice UI option where there’s 2 nice clear buttons - ‘Allow monitoring only’ and ‘Allow full management’.
Thanks to both of you for your help here, I’ve now have everything working as I hoped!