Thanks for the updates Rich. I'm going to start looking at integrating this.

Hi, I have just started to play arround with OAth.
After a user have entered their myhs credentials a pincode is generated.
This pincode should be copied by user to receive a token.
Is it possible to get token without the extra step with pincode in an automatic process?

OAth != OAuth

Old spelling was oAuth which is still used.

Anyway, was curious if HS relies on OAuth 2.0 tokens that expire after say an hour and require a refresh token request to re-obtain a fresh access token, or is it a non-expiring access token? Industry is moving fast towards the auto-expire token that forces a refresh to ensure higher security with rotating keys, and simplify the revocation process, but it obviously requires extra code.

tonlof the PIN code method is normal when developers rely on one OAuth ID+Secret, but needs access to multiple users/devices/etc. Each user/device has to give permission individually to allow access to their data, which is where the PIN comes in. If you have experience with streaming devices then you will have seen the same mechanism used for Roku, Plex, etc.

Ok thanks RoChess

What I have not figure out is.
Can a token be limited for a specific plugin or is a known token a freeway to whole HS web interface?
Will it then be possible to bruteforce tokens https://connected2.homeseer.com/?......uteforcetokens
Sorry for stupid question but I'm trying to understand how this short token of 21 digits in my case can be safer instead of both a userid and pasword.
Can created tookens be administrated/deleted by user.

If I'm going to imlement it in my plugin, is the correct way to include a link to below url that the user need to click and enter their myhs credentials to get the pincode.
https://myhs.homeseer.com/oauth/auth...onse_type=code

Relying on username/password in clear-text is obviously inherently insecure, even if it is being transmitted via encrypted connection such as SSL/TLS.

One solution is to deal with the salted-hash results, but then both sides still need to be aware of the username/password. Solution for that is methods such as OAuth which create secure encryption channels to pass along that info via tokens. Still requires both sides to be aware of a base-line which is the ID+Secret, but then after that an access-token defines the secure access and this can be revoked and renewed/refreshed to keep things secure.

If you want the full details on OAuth then there are dozens of highly informative articles available, but it is safe to ignore and trust in the fact that it is one of the most commonly used method to establish a secure one-to-one, one-to-many, many-to-one, or many-to-many scenario.

The normal workflow is either fully automatic for one-to-one setups, but in this one-to-many scenario you'll indeed have to inform the user that they have to obtain a PIN code to enter. Shame you don't have experience with a stream box, but maybe screenshots will help on how a Roku does it:





In your case it will be reversed, in that user logs into HomeSeer, gets PIN, enters that into your plugin, and then you can do your magic.

It would be fine to indeed present the link where user logs into HomeSeer within your plugin, as they tend to be on an internet connected system with access to a browser, but also keep in mind that you can post the link inside a PDF or on your forum help page for the plugin and keep it out-of-bound from the plugin where they enter the PIN code.






The PIN code is just a short easy-to-type-in-by-user way to uniquely identify them so that HomeSeer can grant your OAuth access credentials the permission it needs to get that user's details for your plugin to do its thing. Instead of HomeSeer/Plugin generating a PIN code that the user enters on a https://homeseer.com/activate link, the workflow is reversed where user obtains PIN via HomeSeer website and types that into your plugin for you to then obtain the access-token tied to that specific end-user's data.