OAuth-based authentication

[marioverhaeg]

Hi, I see this project is not updated for a while, but I'm a happy user :-). Are you planning to update it according to the latest Netatmo instructions regarding the OAuth authentication scheme described here? https://dev.netatmo.com/apidocumentation/oauth

If not, I will probably need to find an alternative or build something myself.

Thanks!

[aurnor]

Hello,

What I see from the new Netatmo authentication is that the Client Credentials grant type method will be completely removed on October 2022 (information also received by email).
This means that calls to client.GenerateToken("account", "password", scopes) won't work anymore.
My app has no user interaction, so without Client Credentials I won't be able to generate a CredentialToken anymore using OAuth.
However, in this Netatmo forums discussion, a Netatmo representative said:

"_Note that you are already supposed to use the client credential only once to generate then refresh & access token then use those tokens in your application every day use.
This means that if you already use the best practice method, the client credential change would not change anything for you except of course if you loose the token somehow or wish to add more scopes. In short you already have the access & refresh token required for your current use. On my personnal app I didn't need to do a client cred since 2~3 years and that was only because I added scopes.

We are naturally working on a better solution for new users such as allowing the refresh and access token generation directly from your dev account but that' still WIP and prone to change. To be clear you will still need to use the refresh method for automation if you do not want to redo the token every 3 hours.
Note that I personnaly recommend getting the new refresh token and access to automatically replace the previous ones with every refresh. It's not that complicated and you make sure to have the correct data everytime even in the evantuality that we would need to change stuff arround._
"

So I think one of the first steps is to set the CredentialManager.CredentialToken public (currently it is a private set), so that we can get a Token and refresh token from the developer portal manually (I'm still not sure how), then set it from our code directly into the CredentialToken property (from a config file for example).

[marioverhaeg]

My application also doesn't have a user interface. I basically gather the data from Netatmo and write it into an InfluxDB database. I had the same issue with another cloud provider and used the log files as a "user interface". Meaning, if there is user interaction required I would write the URL into a log file, and execute the user interaction manually. As also said on the forums, once it runs you hardly ever need to do it again. It's not the nicest solution, but it works for my purposes :-).

[aurnor]

Yes, once we have a token and refresh token, it is supposed to be enough, provided that we can set them in the CredentialToken property, @Riges ;)
But the question is to know how we will get those tokens easily. From the Netatmo dev portal we can get an access token, but not the refresh token.
Perhaps the easiest way is to get the current token and refresh token we get using Client Credentials grant as long as it works, and use them directly in our code (storing them in a config file) and avoid the call to Client Credentials.
Or create a sample app that uses OAuth to get the tokens with user interaction, then inject them into our non-UI app.

[marioverhaeg]

This is what I received from the Netatmo API support team:

_In the future what you can do is setting up a server on your device hosting the code and access it via your smartphone or any display you would have. Your mobile phone has to be on the same network than the device hosting your code.

The device should then redirect the call directly to https://api.netatmo/com/oauth2/authorize?client_id=''&redirect_uri=''&scope='' and setting the redirect uri as the locale ip of your device 192.168.xx. It does not need to be accessible from the outside but only on your local network.

On the mobile phone, you'd then be redirected on Netatmo front and it will ask you whether you want to gave access to the API app. When you'll click on 'Yes, I accept', Netatmo servers will send the code to Netatmo frontend which will redirect it to the locale ip from the redirect uri. In the end https://192.168.x.x/?code='' will be received by the device hosting your development and will then be able to get the pair of tokens (access tokens& refresh token)._

This should require minimum user interaction. The only thing the user needs to do is kick-off the process by calling the API with a clientId. and redirect ID, and then login on the Netatmo portal. It would require a temporary HTTP server running, but that can be switched off once the authentication process is complete.

[aurnor]

My code already runs on a web server, so it may be a solution as well indeed. Asking user-interaction this way, only if refresh token was lost...
@Riges, any idea when you will implement oAuth authentication with user interaction in this project?
Thanks

[aurnor]

It seems that the Refresh Token given by Netatmo is always the same for my account.
So I could workaround the issue this way:

//If client does not exist, create it and ask for a token
if (client?.CredentialManager?.CredentialToken == null)
{
    client = new Netatmo.Client(NodaTime.SystemClock.Instance, baseUrl,
    configuration.GetValue<string>("NetatmoClientId"), configuration.GetValue<string>("NetatmoClientSecret"));

    
    //await client.GenerateToken(configuration.GetValue<string>("NetatmoAccount"), configuration.GetValue<string>("NetatmoPassword"), new[] { Scope.StationRead });

    //workaround here 
    var token = new Token();
    token.ExpiresIn = 10800;
    token.RefreshToken = configuration.GetValue<string>("NetatmoRefreshToken");
    var credentialToken = new Netatmo.Models.CredentialToken(token, NodaTime.SystemClock.Instance);
    //CredentialToken is read-only, using reflection to set it
    typeof(CredentialManager).GetProperty("CredentialToken").SetValue(client.CredentialManager, credentialToken, null);
}

if (client.CredentialManager.CredentialToken?.ExpiresAt.ToDateTimeUtc().ToLocalTime() < DateTime.Now
    || client.CredentialManager.CredentialToken?.AccessToken == null)
    await client.RefreshToken();

[marioverhaeg]

It seems like the grant_type "password" has been disabled now all together (since yesterday?).

[ClodAlone]

ok using the refresh to keep the token active while the server keeps runniing, but...
whenever my service or my entire server needs to reboot the access token is expired and I'm forced to create a new one, which doesn't make my service working without updating the access token again from the netatmo website. Is this a suitable solution for you all or am I missing something ?

[marioverhaeg]

I have implemented a notification towards my Slack space whenever a refresh of the token is required. It's not perfect for a back-end service but it works. Typically this only happens when I restart the service myself.