Hey there,
is it possible to control specific items via external URL, without exposing the entire system externally? A friend of me wants to realize a installation with spotlights. People, who walk by should be able to control the light by scanning QR-Codes with their phones.
Thanks for your ideas.
Hope you’ve had a great weekend so far.
Nikolaus\
Quite interesting use case. 
Never thought on this but now I might find also a few scenarios where it makes sense.
What is your assumption? Is your friend within your network (e.g. wifi)? Or complete external?
Let’s wait for the real experts? 
Cheers
Steffen
As long as the qr code could point to the rest api, then I’d assume you could.
It would assume you’re in WiFi range of the openHAB server (or using openHAB cloud - but with the latter I’m unsure how authentication would work).
And you’d have to investigate if the qr code payload would be a json data or string for the on off. Ideally you’d have wanted a single url for on and another for off. But that’s not really how the rest api works.
I would use a CGI script on a dedicated server.
That CGI can control the OH item without letting the people with the QR code know the password.
Definitely what Wolfgang recommends. There are a number of problems here that make this a little tricky.
Can you define a POST in a QR code? You need to issue a POST to command an Item.
Based on the description these passers by will need to be able to reach openHAB from the internet. Here be dragons because that means anyone can reach all of the system. Even with OH 3’s authentication implementation they could still discover and command all of the Items, not just the one you want them to be able to. That means you’ll want to add some additional authentication (e.g. a reverse proxy. But…
The authentication will need to be built into the QR code so anyone who can see the QR code will also have the username and password so you are right back in the situation where anyone can access all of the openHAB Items. This is the same problem to use myopenhab.org. You can use basic auth in the URL (which will work sometimes, but some browsers won’t allow it) but that username and password will be right there in plain text in the QR code.
Because of these, your best bet is to host some tiny service on a cloud server somewhere that, when the URL is fetched will issue a command to your openHAB. It’s that service that will have the means to reach and authenticate with your openHAB server. In OH 3 you can create authentication tokens and the like and change them frequently. It’s not great security but better than encoding everything in the QR code.
Oh, maybe a better way would be to use CloudMQTT or a similar service that the little service communicates with. Then it and openHAB can authenticate to CloudMQTT and you won’t expose anything about openHAB at all. At worst people will be able to command the one Item that you want to allow strangers to control anyway.
What’s your friend’s ultimate goal? It’s amusing, for sure, but if the QR code is a means to an end then there are almost certainly other ways to accomplish “random person turns on spotlight” that would be more secure and reliable. For example, a motion sensor (or break-beam) mounted in such a way that you have to wave your hand through it to trigger the spotlights.
QR codes are great in some contexts, but in many cases they exist purely because they can. I’m not suggesting that’s the case here (again, I don’t know the goal), but when someone suggests a QR code there’s often a simpler–but less flashy–way to accomplish the task. (I work in marketing/communications, and this happens a lot.)
The best use I’ve seen is putting them on posters at events, so that people can access event info on their phones. The silliest I’ve seen is a QR code on a banana sticker. 
I’m considering a similar approach for people to scan a QR code if they can’t hear the doorbell.
The QR code would contain the URL to a script hosted on my website. The script would issue a message to my openHAB environment.