No announcement yet.

Accessing HomeSeer Systems Remotely using OAth

This is a sticky topic.
  • Filter
  • Time
  • Show
Clear All
new posts

  • Accessing HomeSeer Systems Remotely using OAth

    There are a few apps and plugins that allow users to access their system remotely through MyHS. One way documented in the SDK is to add the user/pass to the JSON URL. This is not ideal as it requires the developer to request the user/pass from the user which exposes their credentials. The standard way to do this is using OAth. With OAth you redirect the user to our web site where they enter their user/pass and are returned a PIN code. They then enter the PIN code into your application and you are given a token. You can then use this token to access a user's system through JSON commands through MyHS. You will need 2 pieces of information from HomeSeer, a client ID and a Client Secret. To obtain this information send a request to and we will generate this information for you. The SDK has been updated with this information here:

    We have created a sample .net application that goes through the entire process. You can download it from here:
    website | buy now | support | youtube

  • #2
    Thanks for the updates Rich. I'm going to start looking at integrating this.


    • #3
      Hi, I have just started to play arround with OAth.
      After a user have entered their myhs credentials a pincode is generated.
      This pincode should be copied by user to receive a token.
      Is it possible to get token without the extra step with pincode in an automatic process?
      Please excuse any spelling and grammatical errors I may make.
      Tasker Plugin / Speech Droid
      Tonlof | Sweden


      • #4
        OAth != OAuth

        Old spelling was oAuth which is still used.

        Anyway, was curious if HS relies on OAuth 2.0 tokens that expire after say an hour and require a refresh token request to re-obtain a fresh access token, or is it a non-expiring access token? Industry is moving fast towards the auto-expire token that forces a refresh to ensure higher security with rotating keys, and simplify the revocation process, but it obviously requires extra code.

        tonlof the PIN code method is normal when developers rely on one OAuth ID+Secret, but needs access to multiple users/devices/etc. Each user/device has to give permission individually to allow access to their data, which is where the PIN comes in. If you have experience with streaming devices then you will have seen the same mechanism used for Roku, Plex, etc.


        • #5
          Ok thanks RoChess

          What I have not figure out is.
          Can a token be limited for a specific plugin or is a known token a freeway to whole HS web interface?
          Will it then be possible to bruteforce tokens
          Sorry for stupid question but I'm trying to understand how this short token of 21 digits in my case can be safer instead of both a userid and pasword.
          Can created tookens be administrated/deleted by user.

          If I'm going to imlement it in my plugin, is the correct way to include a link to below url that the user need to click and enter their myhs credentials to get the pincode.

          Please excuse any spelling and grammatical errors I may make.
          Tasker Plugin / Speech Droid
          Tonlof | Sweden


          • #6
            Relying on username/password in clear-text is obviously inherently insecure, even if it is being transmitted via encrypted connection such as SSL/TLS.

            One solution is to deal with the salted-hash results, but then both sides still need to be aware of the username/password. Solution for that is methods such as OAuth which create secure encryption channels to pass along that info via tokens. Still requires both sides to be aware of a base-line which is the ID+Secret, but then after that an access-token defines the secure access and this can be revoked and renewed/refreshed to keep things secure.

            If you want the full details on OAuth then there are dozens of highly informative articles available, but it is safe to ignore and trust in the fact that it is one of the most commonly used method to establish a secure one-to-one, one-to-many, many-to-one, or many-to-many scenario.

            The normal workflow is either fully automatic for one-to-one setups, but in this one-to-many scenario you'll indeed have to inform the user that they have to obtain a PIN code to enter. Shame you don't have experience with a stream box, but maybe screenshots will help on how a Roku does it:

            Click image for larger version  Name:	screen.png Views:	0 Size:	152.4 KB ID:	1339881

            In your case it will be reversed, in that user logs into HomeSeer, gets PIN, enters that into your plugin, and then you can do your magic.

            It would be fine to indeed present the link where user logs into HomeSeer within your plugin, as they tend to be on an internet connected system with access to a browser, but also keep in mind that you can post the link inside a PDF or on your forum help page for the plugin and keep it out-of-bound from the plugin where they enter the PIN code.

            Click image for larger version  Name:	roku-activate3.jpg?1471981369.jpg Views:	0 Size:	53.8 KB ID:	1339882

            The PIN code is just a short easy-to-type-in-by-user way to uniquely identify them so that HomeSeer can grant your OAuth access credentials the permission it needs to get that user's details for your plugin to do its thing. Instead of HomeSeer/Plugin generating a PIN code that the user enters on a link, the workflow is reversed where user obtains PIN via HomeSeer website and types that into your plugin for you to then obtain the access-token tied to that specific end-user's data.