No more "Client credentials grant type"

The Netatmo API is a set of webservices allowing developers and third parties to access Netatmo device's data.
bitcomplex
Posts: 1
Joined: 05 Aug 2022, 10:40

No more "Client credentials grant type"

Post by bitcomplex »

I have a permanent dashboard in my house for personal use. I'm using Client credentials grant type to access Netatmo API, but this is deprecated and support will be removed as of October 2022.

How would you implement the standard oauth2 scheme giving the circumstances: local webapp (localhost) and no imput device.

I think I can solve the localhost part by using some redirect service (bit.ly?). I can connect a keyboard to the pi driving the dashboard, but how often do you think I will need to reauth? Will the refresh token work "forever"?
aemken
Posts: 1
Joined: 06 Aug 2022, 19:58

Re: No more "Client credentials grant type"

Post by aemken »

Hello.

I'm also interested in this topic. I'm using the Client credentials grant type for automation with Node Red. There is no user interaction. How is server to server authentication possible after deactivation of the Client credentials grant type?

Thanks in advance.
jo_strasser
Posts: 4
Joined: 16 Dec 2018, 20:09

Re: No more "Client credentials grant type"

Post by jo_strasser »

In general: There are many many apps / platforms which are using "Client credentials grant type" for automation and Netatmo is killing all the different 3rd-parties.

In my case I am using Homebridge, Node-Red and some scripts and all are using "Client credentials grant type".
There are also Apps in different AppStores which are pulling data and facing the same problems (example: CARROT, Weather Pro)

After the change of Netatmo all these are dying. As already mentioned: Such systems are having no user interaction. It is a clear "server to server" communication. There is a manual interaction required when the token expires. Example: in Node-Red all users has to "deploy" a flow again.
And there is too less time to customize all these apps / platform integrations.
steveroe
Posts: 2
Joined: 18 Sep 2020, 10:54

Re: No more "Client credentials grant type"

Post by steveroe »

I am in the same boat, I have a automated daily process that grabs data from my Netatmo weather station which has no client interaction at all so cannot use an interactive oauth login.
Sankotronic
Posts: 3
Joined: 08 Aug 2022, 11:53

Re: No more "Client credentials grant type"

Post by Sankotronic »

BYE BYE Netatmo integrations with many home automation solutions.
If Netatmo at least provided local access to their products, but no.
Deleting API Client credentials grant type with such short notice and not providing better solution is at least stupid and not professional at all.
1l2p
Posts: 204
Joined: 30 Nov 2012, 19:34

Re: No more "Client credentials grant type"

Post by 1l2p »

Are we sure of that? If it's true, I can't see how I'll keep my "Netamo Roku" working after all these years...

Image

My wife will kill me if she doesn't have this information in the living room anymore! :(
Daegil_Netatmo
Posts: 31
Joined: 18 Jul 2019, 09:51

Re: No more "Client credentials grant type"

Post by Daegil_Netatmo »

Hi!

For local use, what you can do is setting up a server on your device hosting the code and access it via your smartphone or any display you would have. Your mobile phone has to be on the same network than the device hosting your code.

The device should then redirect the call directly to https://api.netatmo/com/oauth2/authoriz ... =''&scope='' and setting the redirect uri as the locale ip of your device 192.168.xx. It does not need to be accessible from the outside but only on your local network.

On the mobile phone, you'd then be redirected on Netatmo front and it will ask you whether you want to gave access to the API app. When you'll click on 'Yes, I accept', Netatmo servers will send the code to Netatmo frontend which will redirect it to the locale ip from the redirect uri. In the end https://192.168.xx/?code='' will be received by the device hosting your development and will then be able to get the pair of tokens (access tokens& refresh token).

Note that at the moment it's only the authorisation that changes, this is to avoid the risk of having login and passwords easily accessible.
Daegil
Sankotronic
Posts: 3
Joined: 08 Aug 2022, 11:53

Re: No more "Client credentials grant type"

Post by Sankotronic »

Daegil_Netatmo wrote: 09 Aug 2022, 13:57 Hi!

For local use, what you can do is setting up a server on your device hosting the code and access it via your smartphone or any display you would have. Your mobile phone has to be on the same network than the device hosting your code.

The device should then redirect the call directly to https://api.netatmo/com/oauth2/authoriz ... =''&scope='' and setting the redirect uri as the locale ip of your device 192.168.xx. It does not need to be accessible from the outside but only on your local network.

On the mobile phone, you'd then be redirected on Netatmo front and it will ask you whether you want to gave access to the API app. When you'll click on 'Yes, I accept', Netatmo servers will send the code to Netatmo frontend which will redirect it to the locale ip from the redirect uri. In the end https://192.168.xx/?code='' will be received by the device hosting your development and will then be able to get the pair of tokens (access tokens& refresh token).

Note that at the moment it's only the authorisation that changes, this is to avoid the risk of having login and passwords easily accessible.
Hello Daegil,

Any suggestions how to connect home automation gateway like Fibaro HC2 and HC3 on which I can't install server and can't show Netatmo front with confirmation to give access to the API?

By removing Client Credentials grant access you will completely disconnect my Netatmo devices from my home automation gateway making your devices unusable. I do understand importance of safety, but by just removing Client Credentials grant access and not providing any other way to connect HA gateways to the Netatmo devices is ridiculous. Leaving only Authorization code grant type that requires adding one more server to host some code and requiring users to manually confirm gateway access to the Netatmo is ridiculous. I just hope that you will offer some better way to integrate your devices to HA gateways.

Local access would be the best, but I guess your sales manager will not allow spending money to do it. ;-)
steveroe
Posts: 2
Joined: 18 Sep 2020, 10:54

Re: No more "Client credentials grant type"

Post by steveroe »

Daegil_Netatmo wrote: 09 Aug 2022, 13:57 For local use, what you can do is setting up a server on your device hosting the code and access it via your smartphone or any display you would have. Your mobile phone has to be on the same network than the device hosting your code.

The device should then redirect the call directly to https://api.netatmo/com/oauth2/authoriz ... =''&scope='' and setting the redirect uri as the locale ip of your device 192.168.xx. It does not need to be accessible from the outside but only on your local network.

On the mobile phone, you'd then be redirected on Netatmo front and it will ask you whether you want to gave access to the API app. When you'll click on 'Yes, I accept', Netatmo servers will send the code to Netatmo frontend which will redirect it to the locale ip from the redirect uri. In the end https://192.168.xx/?code='' will be received by the device hosting your development and will then be able to get the pair of tokens (access tokens& refresh token).

Note that at the moment it's only the authorisation that changes, this is to avoid the risk of having login and passwords easily accessible.
I have a Google Apps script running on a timer event to record daily records into a Google Sheet document - this uses client credentials grant type. There is no user interaction in this process, it runs entirely from Google cloud infrastructure with no GUI.

I don't see a way your solution would work in my situation, the server running my code isn't on my local network.

Any other suggestions welcome please.
DreddShed
Posts: 1
Joined: 21 Aug 2022, 14:39

Re: No more "Client credentials grant type"

Post by DreddShed »

Hello.

I currently have a Function App running in Azure which grabs my data from the Netatmo servers every 30 minutes and stores it in to a database. Obviously this uses the client credentials grant type to generate a token at the moment.

I have been playing around with an alternative and I think I can mostly work around the change but only if the refresh token lasts forever. Or at least an extended period of time. Does anyone know how long the refresh token lasts for? I notice the OP asks the same question but I don't see any response.

My workaround is fairly straightforward:
  1. Add a redirect URL to your app in the Netatmo (this can be anything - it doesn't need to be a working site)
  2. In your browser go to the following URL: https://api.netatmo.com/oauth2/authorize?client_id=[YOUR CLIENT ID]&redirect_uri=[THE SAME URL YOU ADDED TO YOUR APP]&scope=read_station&state=AnyOldNonesense
  3. You will be asked to log in/authorise the app
  4. Upon authorisation you'll be redirected to the URL you entered in step 1 - notice the &code=[SOME CODE] parameter appended to your return URL - make a note of this
  5. Make a request to generate the token using the code from the previous step instead of the username and password (IMPORTANT: This code only appears to be valid for one use!)
  6. This returns a token; an expiry time; and a refresh token
  7. Use the refresh token each time you make a request to get a new token (which itself has a new refresh token which you'll need to use next time)
As mentioned above this all depends on the refresh token not having an expiry date!

As an aside I notice the Netatmo developer site still contains details of the client credentials grant type with no mention of it's upcoming demise. There is a note mentioning that the client credentials grant type only works for the same account that owns the app. Has that always been the case? https://dev.netatmo.com/apidocumentatio ... credential

Edit: I suppose a better question would be how long is the user authenticated with the app for? Each token refresh generates a new refresh token so if you are collecting the data regularly (and have the means to store the new refresh token for use next time) the refresh token validity shouldn't be an issue - it's really only how long the user authentication is valid for that would be the problem.
Post Reply

Return to “Netatmo API”