OAuth2 Hack Using only openHAB. Good idea?

rlkoshak · June 14, 2018, 9:16pm

Just to play around I was looking into what it would take to interact with Dexcom’s API. The API is well documented and has a nice sandbox area to experiment in, BUT, it requires OAuth2.

I know the correct approach is to deploy my own instance of openHAB cloud and set it up with the redirect URL able to process the authtoken and retrive the access token. But I think there is a way I can do this using openHAB itself and myopenhab.org. I’m just playing here and know this is probably a bad idea. But I’ve not a lot of experience with this.

How bad of an idea is this?

Here is my approach:

Configure the redirect URL to https://myopenhab.org/static/authcode.html.
authcode.html is a static page in conf/html with some javascript to parse out the authcode passed to me as a URL parameter and issue an XMLHttpRequest to the OH REST API. I’ve implemented up to this point and it works.
Trigger a Rule with the authcode and make the appropriate HTTP POST back to Dexcom to get another callback with the acess token, refresh token, and time to live of the access token. the auth code is only valid for one minute.
Create another static html page to catch the return call and retrieve the access token, refresh token, and amount of time it will live and post those to Items using XMLHttpRequest again.
In some Rules I’ll make the REST calls to query the API for the data I want using the access token and watching for the end of the time to live for the access token and/or watching for a return code of 401 and then using the refresh token to get a new access token and refresh token.

Like I mentioned, I’ve already implemented this up to getting the authcode and POSTing it to an Item and I know how to do the rest. I’m pretty sure it will work. But it feels sketchy as heck. What are people’s thoughts? Anyone have minor suggestions?

I already know, the proper way would be to set up my own openHAB Cloud instance. But where’s the fun in that?

rlkoshak · June 14, 2018, 10:58pm

Well that didn’t work. I missed the part where the the response sent in step 4 that has the auth and refresh tokens gets sent as a post to the redirect url you pass to it.

I’ll experiment with whether I can make it use an OH REST API call to POST to an Item but I suspect I’m dead in the water.

pacive · June 15, 2018, 4:41am

It’s strange that dexcom sends the token by issuing a post-request to the client, that would mean the client need to run a webserver listening to that address. The OAuth2 specification states that the access token should be provided in the http-response of the request the client sends in step 3 above, so they are not following the spec in that case. Might be worth pointing that out to them?

https://tools.ietf.org/html/rfc6749#section-5.1

I have connected to OAuth2-protected apis using a similar method, (but using external scripts and some manual interaction) but have never needed to catch a post-request from the authorization server…

rlkoshak · June 15, 2018, 5:15pm

Doh! I spent the past 30 minutes trying compile everything I’ve tried and the results I get back only to realize that I just did something stupid. It is working as it should. I was looking at the Message, not the Response. I’m back in business.

Though, since you’ve done something like this before, do you know how to avoid the COR error when I try to make the XMLHttpRequest back to dexcom from my html page instead of the Rule? It would be nice to do the full round trip in the HTML page rather than needing a Rule. But I do have it working in the Rule now.

I will post a tutorial once I get it working all the way.

Thanks for the push in the right direction. I always assume I’m doing something wrong and I’m usually right.

For the curious, the WIP is as follows:

I use http://myopenhab.org/static/test.html as the redirect URL registered with Dexcom.

The code below is pretty sloppy and a WIP.

Here is test.html (I just copied the JS that parses out the arguments from a posting somewhere and haven’t reviewed it). I bet it can be done better.

<!DOCTYPE html>
<html>
        <head>
                <title>OAuth2 Catcher</title>
        <script type="text/javascript">
        function getAllUrlParams(url) {

  // get query string from url (optional) or window
  var queryString = url ? url.split('?')[1] : window.location.search.slice(1);

  // we'll store the parameters here
  var obj = {};

  // if query string exists
  if (queryString) {

    // stuff after # is not part of query string, so get rid of it
    queryString = queryString.split('#')[0];

    // split our query string into its component parts
    var arr = queryString.split('&');

    for (var i=0; i<arr.length; i++) {
      // separate the keys and the values
      var a = arr[i].split('=');

      // in case params look like: list[]=thing1&list[]=thing2
      var paramNum = undefined;
      var paramName = a[0].replace(/\[\d*\]/, function(v) {
        paramNum = v.slice(1,-1);
        return '';
      });

      // set parameter value (use 'true' if empty)
      var paramValue = typeof(a[1])==='undefined' ? true : a[1];

      // (optional) keep case consistent
      paramName = paramName.toLowerCase();
      paramValue = paramValue.toLowerCase();

      // if parameter name already exists
      if (obj[paramName]) {
        // convert value to array (if still string)
        if (typeof obj[paramName] === 'string') {
          obj[paramName] = [obj[paramName]];
        }
        // if no array index number specified...
        if (typeof paramNum === 'undefined') {
          // put the value on the end of the array
          obj[paramName].push(paramValue);
        }
        // if array index number specified...
        else {
          // put the value at that index number
          obj[paramName][paramNum] = paramValue;
        }
      }
      // if param name doesn't exist yet, set it
      else {
        obj[paramName] = paramValue;
      }
    }
  }

  return obj;
}
var code = getAllUrlParams().code;
        </script>
        </head>
<script>
document.write("Preparing to update AuthCode Item...")
var code = getAllUrlParams().code;
var xhr = new XMLHttpRequest();
xhr.open('POST', "https://myopenhab.org/rest/items/AuthCode");
xhr.setRequestHeader("Content-Type", "text/plain");
xhr.setRequestHeader("Accept", "application/json");
xhr.onreadystatechange = function() {
        if(xhr.readyState == XMLHttpRequest.DONE && xhr.status == 200) {
                document.write("Received  " + code);
        }
        else if(xhr.status != 200) {
                document.write("Error in callback: " + xhr.status + " " + xhr.responseText);
        }
}
document.write("Sent " + code + "...");
xhr.send(code)
</script>

</html>

And the Rule:

import org.eclipse.xtext.xbase.lib.Functions
import java.net.URL
import java.nio.charset.StandardCharsets
import javax.net.ssl.HttpsURLConnection
import com.sun.org.apache.xml.internal.security.utils.Base64
import java.io.BufferedInputStream
import java.io.BufferedReader
import java.io.InputStreamReader
import java.text.SimpleDateFormat
import java.util.Date

val log = "dexcom"
val clientId = "CLIENT ID"
val clientSecret = "CLIENT SECRET"
val redirect = "https://myopenhab.org/static/test.html"

val tokenEndpoint = "https://sandbox-api.dexcom.com/v2/oauth2/token"

rule "Received authcode"
when
    Item AuthCode received command
then
  logInfo(log, "Starting to process authcode...")
  val code = receivedCommand.toString
  logInfo(log, "Received authcode: " + code)
  val tokenURL = new URL(tokenEndpoint)
  val HttpsURLConnection connection = tokenURL.openConnection() as HttpsURLConnection
  val request = 'client_secret='+clientSecret+'&client_id='+clientId+'&code='+code+'&grant_type=authorization_code&redirect_uri='+redirect
  logInfo(log, request)
  connection.setRequestProperty('content-type', 'application/x-www-form-urlencoded')
  connection.setRequestProperty('cache-control', 'no-cache')
  connection.requestMethod = "POST"

  connection.doOutput = true
  connection.setDoInput = true

  connection.outputStream.write(request.getBytes("UTF-8"))

  val responseCode = connection.responseCode

  logInfo(log, "HTTP Code: " + responseCode)
  logInfo(log, "Message: " + connection.responseMessage)

  val StringBuffer sb = new StringBuffer()
  val inputStream = new BufferedInputStream(connection.getInputStream())
  val BufferedReader br = new BufferedReader(new InputStreamReader(inputStream))
  var String inputLine = ""

  while ((inputLine = br.readLine()) != null) {
    sb.append(inputLine)
  }

  logInfo(log, "Response: " + sb.toString)
end

rule "Received tokens"
when
  Item Tokens received command
then
  logInfo(log, receviedCommmand.toString)
end
``

Note, this was mostly shamelessly copied from https://community.openhab.org/t/icloud-device-data-integration-in-openhab/32329.

pacive · June 15, 2018, 5:36pm

I haven’t tried to automate that part at all. What I did is putting a html-file in my conf/html-folder that just displays the authoraization code returned by the callback. I then copy-paste it into a command-line script (written in ruby) that takes care of obtaining the access token and saving it to a file. So except for using the html-folder I leave OpenHAB completely out of the loop.

I like your idea of posting the auth-code directly to the rest api though, might try that some other time! But, as you say, doing everything by javascript is probably impossible due to CORS…

Edit: Just a side-note: shouldn’t you mask your client id and secret in the rule above?

rlkoshak · June 15, 2018, 5:41pm

Cool. My original ideas were to use your type of approach (though I probably would have used Python). I only have a minute from getting the authcode to make the call to get the tokens before the authcode expires. Since I wanted to make this something that less technical people might be able to use it was important to me that it be automated.

And since I need to get the authtoken again periodically I suppose it makes sense to write this in Rules anyway (OK, so it really makes sense to write it as a binding).

It looks like I’m back in business. The biggest hurdle I see now is convincing my wife to let me link up her account for testing.

Shoot, I thought I had. I edited the posting so many times I guess I forgot. I’ll regenerate new ones as well. Thanks for noticing.

pacive · June 15, 2018, 5:51pm

I actually only needed to authorize one time, then I can always use the refresh token to get a new token when it expires (hence my script is really terrible…). Might be different from service to service though.

No problem!

rlkoshak · June 15, 2018, 5:55pm

Oh, this works the same. I get a refresh token that I use to make the call to get a new auth token and refresh token. What I was referring to was I would have to implement the HTTP connection stuff in my Rules anyway so I wasn’t really saving myself any work by trying to get the tokens using XMLHttpRequest. Even though I can do the request in like 8 lines of code in the JS and needed a page’s worth of code in Java/Rules DSL.

pacive · June 15, 2018, 6:04pm

For that reason I have moved all my complex rules that interacts with web services to external scripts (communicating with them via mqtt), the rules get very clunky very fast when trying to do such things…

Especially when you need to get much data from a json-response I find this much easier. In the rules you need to use the jsonpath transform for every value, which means openhab needs to parse the same json multiple times, extracting just one value each time. Feels like a waste of resources. Would be useful if you could parse a json string into a map directly in the rules instead.

rlkoshak · June 15, 2018, 6:14pm

I think there has been an open issue on ESH for while to make a JSON parser available in Rules.

For this I think I need to stick to Rules as my intent is to provide a way for others to easily make it work for them (my wife has zero interest in tying her BS numbers to the home automation) and requiring external scripts opens up a whole realm of problems I don’t want to have to help people solve. Exec and executeCommandLine problems are my least favorite prolbems to help people with.

Were I doing this only for myself, I’d probably write a module for https://github.com/rkoshak/sensorReporter and do it all in Python, or use JSR223 and again, do it all in Python or JavaScript. Ultimately, I’d like to write it up as a binding as I think Dexcom might be interested in this sort of unique use case. But I don’t know how that can work with the client ID and secret with an opensource project.

Maybe I’ll write it up and submit it to Mission to Make or Hack a Day or something at some point. Maybe the folks over on NightWatch or NightScout would be interested in something like this. Or maybe no one cares, but it’s fun to figure this sort of thing out.

pacive · June 15, 2018, 6:23pm

I see what you mean, if I had planned on writing a tutorial I would probably have done it in a different way.

Have been thinking of trying out making a binding myself, but from what I read here in the forum it’s not quite clear how to implement OAuth? I know some bindings have done it, but haven’t studied how they have implemented it.

rlkoshak · June 15, 2018, 7:27pm

I know that for IFTT, Alexa, and Google Assistant the OAuth is implemented in myopenhab.org and that is I think the official position on where the OAuth stuff belongs. Other services like Google and Nest provide other approaches that seem to work by downloading or copying the auth code or the like. I don’t know everything, but I don’t know of any bindings that implement the OAuth stuff directly. I’m not sure how it could as what redirect url would it use?

pacive · June 16, 2018, 5:37am

There’s also a Spotify connect binding that uses OAuth, there the user needs to register a Dev account to get their own client is and secret. Then the binding seems to host its own servlet to handle authorization.

github.com

astenlund74/openhab2-addons/blob/master/addons/binding/org.openhab.binding.spotify/README.md

# Binding for Spotify and Spotify Connect Devices

This binding implements a bridge to the Spotify Player Web API and makes it possible to discover Spotify Connect Devices available on your Spotify Premium account.
## Configuring the binding

The binding requires you to register an Application with Spotify Web API at https://developer.spotify.com - this will get you a set of Client ID and Client Secret parameters to be used by your binding configuration.

### Create Spotify Application

Follow the instructions in the tutorial at https://developer.spotify.com/web-api/tutorial/. Skip into and follow instructions under:

 1. Setting Up Your Account
 1. Registering Your Application
 
- Step 6: entering Website information can be skipped.
- Step 7: setting Redirect URIs is **very important**

When registering your new Spotify Application for openHAB Spotify Bridge you have to specify the allowed "Redirect URIs" aka white-listed addresses. Here you have to specify the URL to the Bridge Authentication Servlet on your server. 

If you run your openHAB server on "http://openhab.mydomain.com:8080"  you should add "http://openhab.mydomain.com:8080/connectspotify/authorize" to the Redirect URIs.

This file has been truncated. show original

rlkoshak · June 19, 2018, 9:22pm

Well shoot. I get it almost all the way working only to discover the API delays access to the data for 3.5 hours. That makes it pretty much useless in this context. Oh well, at least I figured out the OAuth2 stuff. I’ll post a tutorial on that I guess.

pacive · June 20, 2018, 6:12am

Wow, that’s just useless. Who wants data from 3.5 hours ago? On the upside, you have a working way to get OAuth authorization, might be useful for something else

rlkoshak · June 20, 2018, 12:53pm

Apparently is has to do with the FDA. They were concerned people might be writing their own non-FDA approved apps to provide treatment recommendations. So Dexcom delays the data by 3.5 hours to prevent that from happening. It certainly reduces the use of the data and the API.

I may look into other sources but my wife has no interest in this and she’s the one with the Dexcom so I will probably focus my efforts elsewhere.

For what it’s worth, I’ve posted an OAuth2 tutorial so, like you say, the effort wasn’t completely wasted.