[OH3] REST API Authentication Help RESOLVED

I am running OH3 Build 1941 snapshot and want to use the REST API with my scripts.

I see there is an OAuth token system for authentication & authorization. How is that used?

1 Like

It’s a standard OAuth2 authorization code flow (https://www.oauth.com/oauth2-servers/server-side-apps/authorization-code/). The only thing to know which is specific to openHAB is that the client_id and the redirect_url need to be the same. There are plans to be able to generate long-lived API tokens but it’s not done atm.

Basically you need to get an authorization_code, then exchange it for an access_token which is valid for one hour. You’ll get a refresh_token as well you have to keep and use to get additional access_tokens.

You can perform the initial part of the flow with Google’s OAuth2 Playground for instance (but anything else is fine too).

On the right you need to configure the endpoints as follows:

Then on the left type “admin” in the “input your own scopes” box (it’s the only scope defined currently)
And click Authorize APIs.

openHAB will ask you to login to authorize the OAuth playground.

When you come back copy the authorization_code and use the API explorer in openHAB to get your access_token and refresh_token (uncheck the last two “send empty value” checkboxes).

Check the logs to troubleshoot if the request doesn’t succeed.

Keep the refresh_token somewhere and use the access_token to get access for one hour. You need to add the Authorization: Bearer <access_token> HTTP header to requests.
When you need another access_token, use the token endpoint with the refresh_token to get one.

curl -X POST "http://localhost:8080/rest/auth/token" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=refresh_token&redirect_uri=https%3A%2F%2Fdevelopers.google.com%2Foauthplayground&client_id=https%3A%2F%2Fdevelopers.google.com%2Foauthplayground&refresh_token=32ace7650506423..."

That appears to happen after the authentication (username password verification) .
What is the OH3 authentication flow to get an authorization code?

The UI redirects to the auth endpoint with its own parameters that you can see in the URL.

On OAuth Playground what APIs selected on the left?

I have used OAuth2 REST APis ti interface with several other products.

None, those are Google APIs, just input “admin” below which is the only scope openHAB supports.

And of course don’t try to perform step 2 from the playground, Google doesn’t have access to your openHAB instance.

1 Like

Does not work
When I click the button

I get this

Is there any way to disable this authorization - this seems way oversized for something that just runs locally and provides nothing basic authentication would provide, too.

1 Like

Since there is only one role, I believe there is (or should be) a way to use that generically for local processes.

Hi, this issue has not yet been resolved in the official release of OH3, has it?

Unfortunately, even the examples from the official REST API documentation appear not to work any longer. I did a fresh install of OH3 on my raspi, and when I try out any of the GET examples and append -p 'myuser:mypassword' to the curl command, I still receive a 401 error …

No chance to use the REST API in OH3? I thought the new version would be considered stable when I decided to update :frowning:

With Basic Authentication I believe the credentials go in the header. HABApp works with token & Basic Authentication so I would say there is an issue in your implementation.

The authentication & authorization are a deliberate feature, not a bug.

Have you activated the feature to allow basic authentication? You will find it in the Admin UI under Settings–>API Security. There you can enable it:

1 Like

On my post earlier today I did not realize I was responding to an old thread. The earlier authentication issues were resolved to ways.

One was the option of Basic Auth mentioned by @vossivossi

The other is being able to generate an API token from the Admin page…

Yes, I have, but it still does not work … I also tried to toggle the implicit user roles switch without success.

Then please start a new thread detailing what you have tried. The initial issue was resolved.

Alright, I finally got it. Not sure what I did wrong, but now I am able to access the REST API again. Maybe there was a pending reboot?

However, I have summarized everything I found out in this issue for the documentation repository: openhab/openhab-docs#1391. Thanks for your help, and sorry for replying to an older thread!