OAuth questions


#1

Hoping someone can set me on the right path here. I'm trying to complete OAuth authentication with a web service that requires a whitelisted redirect URI. On SmartThings, the documentation states that it should always be https://graph.api.smartthings.com/oauth/callback, which works fine since I can add that to the whitelist and everyone is happy.
With HE, it seems (at least from examples I've stumbled across) that I may need to use a URI that is specific to each installation, which doesn't really mesh with the suggested best practices for OAuth since the service would have to allow whitelisting URI patterns.

So...what is the "correct" redirect_uri to use?
Is ST acting as a proxy for those callbacks or am I misunderstanding the OAuth flow? (yes, they are)


#2

Can anyone confirm if the callback endpoint must be hub/app specific or if there is something like a https://cloud.hubitat.com/oauth/callback that I can use?


#3

@chuck.schwer would probably know best...


#4

We have not implemented those endpoints in our cloud yet. For your web service, does it require the entire redirect uri is in the whitelist? I know some services can validate just the beginning, ie: "https://cloud.hubitat.com/api" if that is the case then that would get you over the hump. I'm looking for a good example I can test with to get this implemented. Is the service you are using available to the public and does it have an ST implementation?


#5

It’s Spotify. When I tried a partial URL, it didn’t work. I believe they require the entire path. It will have an implementation shortly :slight_smile: I’ve been hacking away at it in between actual work tasks, so it’s not feature complete or pretty, but the OAuth part is more or less done.


#6

Ok, if you can send it my way, I can play with it to see what it would take to get the static urls to work on our service endpoints.


#7

Just tested it with a partial URL. “Invalid redirect URI”
GitHub link

I’ll leave that branch as-is for now so as not to break things.

It’s still very ST centric at the moment while I work out all the details.


#8

I'm too blocked on a service that requires full redirect url validation


#9

Can you share if this is near-term or farther out on the roadmap?