I received an e-mail today from Netatmo about changes to API-tokens. Not knowing how the Netatmo binding works, I’m curios if those changes will cause problems for the Netatmo binding. Can anyone enlighten me? Cheers!
Dear Netatmo developer,
As of today, when you refresh an Access Token using the associated endpoint https://api.netatmo.com/oauth2/token, Netatmo servers respond with a couple of tokens : an Access Token and a Refresh Token.
If the previous Access Token is still valid, the newly returned access token is identical but its expiration time is extended for 3 hours.
In any case, the refresh token is not renewed.
Starting from the 17/04/2023, this behavior will change to to be compliant with the recommendations of the [RFC of the OAuth2 Authorization Framework] (section 10.4) and improving the security of the data of our users.
When refreshing tokens, Access Token and Refresh Token will be automatically renewed and former tokens invalidated.
What does it means for me ?
If you were already updating the tokens provided when refreshing your tokens, this change will not impact you.
If you do not update the refresh token when refreshing your Access Token, your users will be disconnected after 3 hours as the former tokens will become invalidated.
To fix it, you need to update the tokens as soon as you get the newly generated ones.
Legrand - Netatmo - Bticino