Netatmo API Authorisation Changes

I've been informed today that Netatmo are withdrawing their "Client Credentials" authorisation grant type from October, meaning that the only way to access user data is to use the "Authorisation Code" grant type as detailed here: https://dev.netatmo.com/apidocumentation/oauth#authorization-code

I'm struggling to see how this authorisation type could be handled in a plugin, but if anyone has any experience of this I'd be grateful for some pointers. If I can't solve this problem my Netatmo plugin will cease to work from October I'm afraid.

[jay (support)]

You'll need to implement an HTTP request handler to accept the callback with the token. Some services don't allow arbitrary URIs for the redirect (or have other restrictions that cause issues with the reflector), but they don't seem to mention any restrictions, so hopefully you can just pass the URI in to the call to authorization server. Use indigo.server.getReflectorURL to return the reflector URL to construct your redirect URI.

Note: your users will need to have a reflector activated for this to work since the redirect from the Netatmo authorization server has to go to your plugin directly. You can use the licenseStatus property of indigo.server to create a more complete description to show your user about what they need to do. For instance, if they have an active subscription but no reflector, then you can tell them to create a reflector. But if they have an expired subscription, you'll need to tell them that they need an active Indigo Up-to-Date subscription so they can set up a reflector.

Thanks Matt, that's really helpful. But how is Step 2 handled? It sounds as though the user needs to log in to their own Netatmo account to authorise access:


Step 2 - The user is prompted to authorize your application

Note: If the user is not already logged in to their Netatmo account, they will be prompted to log in.

[jay (support)]

Their documentation is a little fuzzy on that point: they illustrate the call to their system as a GET (which you can just launch in a web browser). However, they say below their example that it's a POST - if that's true, then you have to do a little more roundabout: build a page served up from your plugin that, when loaded in a web browser, automatically posts to their authentication server (you should be able to use a small javascript to do that on load).

I'm going to point @FlyingDiver to this post as he's done more work in this area than we have, so maybe he's got more/better pointers.

Just got back from a 1200 mile drive. Give me a day to recover and I'll take a look.

To get started, grab a copy of this branch of the Slack2 plugin: https://github.com/FlyingDiver/Indigo-Slack2/tree/OAuth

It doe pretty much the exact flow you're looking for. I had to abandon that method for Slack because the callback URL for all installations had to be the same. Which means it can't be redirected back to different reflectors for each user. Unfortunately, Netatmo looks to be the same: If the callback URL of your application is statically configured in the settings, the redirect_uri parameter may be omitted. If present, it should match the one statically defined.

Is the credentials method actually going away, or just subject to the limitation posted: This method can only be used with the same account that the one who owns the API application.
If you want to access data from another user's account, you MUST use the Authorization code grant type.. If the latter, it should still work but each user will need to create their account and set up the app profile. Which is also what the Slack users have to do.

Thanks @FlyingDiver - I'll take a look.

Yes, unfortunately the credentials method is being withdrawn in October; the Netatmo documentation doesn't reflect this yet, but an email was sent out a couple of days ago to registered developers.

Can you PM me a copy of the email?

Done