Authorization¶
To be able to control and monitor devices belonging to end-users through your app, the end-user must log in to SmartHQ and grant your app access to their SmartHQ devices. When you send a command to the end-user's device, you must show identification to prove you have access to control their device. This page discusses the OAuth 2.0 authorization framework for this purpose.
Prerequisites
- See Get Started for information on how to create an account, create an app, and begin calling our APIs.
- See our Device Commissioning documentation for details on connecting a device to the SmartHQ cloud and how that applies to your application.
General Info¶
The Identity and Access Management API is our OAuth 2.0 service used to generate access tokens for authorizing Digital Twin API calls that control and monitor end-user devices.
By default, SmartHQ’s Identity and Access Management API endpoints enable 'Sign In with SmartHQ' and 'Register with SmartHQ' functionality to handle authorization (granting your app permission to control end-users' devices). The endpoints are not intended to perform user authentication for your application as a way for an unauthenticated user to gain access to your application. See Authorization vs Authentication to learn more.
End-to-End Flow¶
This sequence diagram explains how the end-user gives your application access to control and monitor their devices. As a result, your application receives an access token to approve future API calls.
sequenceDiagram
participant App as Your Application
participant User as End-User
participant Auth as SmartHQ Auth Server
participant API as Digital Twin API
User->>App: (2) Chooses to start authorization
App->>Auth: (3) GET /oauth2/auth
Auth->>User: (4) Displays login & consent screen
User-->>Auth: (5) Logs in & grants permissions
Auth-->>App: (6) Redirects with Authorization Code
App->>Auth: (7) POST /oauth2/token (with Auth Code & additional parameters)
Auth-->>App: (8) Returns Access Token (and optional Refresh Token)
App->>API: (9) API call with Access Token
API-->>App: (10) API gives response
App->>Auth: (11) POST /oauth2/refresh_token (with Refresh Token)
Auth-->>App: (12) Returns new Access Token
User->>App: (13) Chooses to log out
App->>App: (14) Logs user out locally
App->>Auth: (14) Redirects to GET /oauth2/applogout
Auth->>App: (15) Redirects to callback URL specified in app creation
- You create an account and create an app in the SmartHQ ecosystem to obtain your Client ID and Client Secret.
- The end-user interacts with your application and initiates the authorization process.
- Your application calls
GET /oauth2/authwith query parameters specified in the OpenAPI specification. Optionally, to obtain a Refresh Token later, includeaccess_type=offline. - The SmartHQ Authorization Server returns a SmartHQ login web page to the end-user.
- The end-user logs in to SmartHQ. The end-user is presented with an authorization screen to grant your app permission to access their devices and authorizes your application.
- The SmartHQ Authorization Server redirects the end-user back to the Callback URL specified when creating the SmartHQ app, passing the Authorization Code as part of the URL.
- Your application calls
POST /oauth2/tokenwith the Authorization Code and additional parameters in the request body. - The SmartHQ Authorization Server returns an Access Token. If a Refresh Token was requested and granted, it is included in the response.
- Your application calls any endpoint in the Digital Twin API, including the Access Token as a Bearer token in the Authorization header to authorize the request.
- The Digital Twin API responds to your application.
- Your application, when the Access Token expires, calls
POST /oauth2/tokenwith the Refresh Token and other required parameters to obtain a new Access Token without requiring the end-user to reauthorize. - The SmartHQ Authorization Server returns a new Access Token to your application.
- The end-user chooses to log out of your application.
- Your app logs the end-user out locally and redirects them to
GET /oauth2/applogoutin the browser to clear the cached SmartHQ login. - The end-user is redirected to the callback URL specified when creating the app in the SmartHQ Developer Portal.
Authorization Flow¶
The authorization flow begins with calling GET /oauth2/auth in step 3 in the sequence diagram above. This endpoint returns HTML for a login page, which after logging in, presents the end-user with an authorization screen to give your app permissions to control and monitor their appliances. The authorization flow finishes with step 6 by redirecting the end-user back to your application with the authorization code as part of the redirect url.
Registration Flow¶
For end-users who do not have a SmartHQ account, GET /oauth2/register is an API endpoint that allows users to do the following:
- Sign up for SmartHQ by creating a SmartHQ account
- Verify their account through email
- Sign in to their SmartHQ account1
- Approve your application to control and monitor their devices
- Go back to your application by SmartHQ redirecting.2
This endpoint functions just like GET /oauth2/auth with an additional step at the start to create an account.
Implementation Recommendation
It is not necessary to include GET /oauth2/register directly within your application. All users can be directed to GET /oauth2/auth. If needed, they can choose to create a SmartHQ account from that page- they will be automatically redirected to GET /oauth2/register when they choose to sign up for a new account. The query parameters will carry over from GET /oauth2/auth to GET /oauth2/register.
Providing users with a single link for authorization (GET /oauth2/auth) reduces complexity, but allows both returning and new users to complete the authorization process.
Note
Even if an end-user creates a SmartHQ account through this registration flow, they must still download the SmartHQ app to complete device commissioning for the device to appear in the SmartHQ cloud and be accessible via our APIs.
sequenceDiagram
participant App as Your Application
participant User as End-User
participant Auth as SmartHQ Auth Server
User->>App: (1) End-user chooses to create a SmartHQ account
App->>Auth: (2) GET /oauth2/register
Auth->>User: (3) Displays sign-up screen
User-->>Auth: (4) Signs up
Auth->>User: (5) Displays verify your email screen
User-->>Auth: (6) Verifies email
Auth->>User: (7) Displays confirmation screen
User->>Auth: (8) End-user selects "I've Verified My Email"
Auth->>User: (9) GET /oauth2/auth
- The end-user chooses to create a SmartHQ account: either directly from you providing a link to
GET /oauth2/register, or the end-user choosing to sign-up from a URL in theGET /oauth2/authreturned webpage (recommended approach). GET /oauth2/registergets called.- The SmartHQ Authorization Server displays a registration form to the end-user.
- The end-user completes the form to create their SmartHQ account.
- The SmartHQ Authorization Server presents a screen prompting the user to verify their email address.
- The end-user clicks the link in their email to verify their SmartHQ account.
- The SmartHQ Authorization Server displays a confirmation screen upon successful email verification.
- The end-user selects the button "I've Verified My Email" from the first "verify your email screen."
- Upon clicking the "I've Verified My Email" button,
GET /oauth2/authis automatically called which displays the SmartHQ login screen to end-user. - See End-to-End Flow Sequence Diagram for where this continues. The user proceeds with step 4 in that diagram.
App Logout Use Case¶
The authorization process opens SmartHQ login pages in a browser or webview as part of the OAuth 2.0 flow. SmartHQ stores a session via browser cookies to remember which end-user was last signed-in. If your app logs out end-users but does not clear that SmartHQ session, the next time the login flow is triggered, the end-user may be automatically logged in with the same SmartHQ account, even if they were expecting to switch to a different account.
The purpose of POST /oauth2/applogout is to remove the cached login session (i.e., SmartHQ user session) stored in the end-user's web browser. That means next time they try to authorize something, they’ll be prompted to log in again, rather than being auto-logged-in with their last account.
Important
To ensure a complete logout experience and prevent automatic re-login with the previous account, your app should always invoke this endpoint as part of its logout flow.
What this endpoint does not do:
- This endpoint does not revoke tokens. Any access or refresh tokens your app receives from SmartHQ are still valid. You can continue making API calls unless you manually stop using the token.
- This endpoint also does not end the user's session within your app. You’re still responsible for logging the end-user out on your side.
Client Credentials¶
When creating an app on the SmartHQ Developer Portal (see Get Started), you receive two important pieces of information:
| Credential | Purpose | Usage |
|---|---|---|
| Client ID | Uniquely identifies your app to the SmartHQ authorization server | Included in OAuth requests to indicate which app is making the request |
| Client Secret | Verifies your app to the authorization server | Used in POST /oauth2/token to securely obtain access tokens |
OAuth 2.0 Tokens¶
OAuth 2.0 authorization involves different credentials, each serving a different purpose:
| Credential | Purpose | Key Details |
|---|---|---|
| Authorization Code | Temporary code received after user authorization to get an access or refresh token | - Single-use - Valid for 10 minutes - Used to request Access & Refresh Tokens. - Received by calling GET /oauth2/auth or GET /oauth2/register |
| Access Token | Authorizes SmartHQ API requests by being passed as the bearer token | - Reusable - Valid for 1 hour - Tied to a single end-user's SmartHQ account. The access token gives access to the end-user's devices through our APIs. - Received by calling POST /oauth2/token |
| Refresh Token | Used to get a new Access Token without requiring additional user login | - Reusable - Valid indefinitely, until a new token is requested; the new token then becomes only valid refresh token. - Only issued when access_type=offline is called in GET /oauth2/auth or GET /oauth2/register.- Received by calling POST /oauth2/token |
Note
- Each access token corresponds to a single end-user's account. The access token only provides access to the device the end-user has commissioned to their SmartHQ account.
- None of the Identity and Access Management API endpoints require an access token to be used.
Callback URL¶
The Callback URL is specified when creating an app in the SmartHQ ecosystem. It is where end-users are redirected after they grant permission to your application. This URL should be part of your application; it is where your application will receive the authorization code, which can then be exchanged for an access token.
Modify Callback URL¶
The Callback URL can be changed in the SmartHQ Developer Portal by going to the APIs page, selecting the "Apps" menu option, choosing your app, and clicking "Edit" next to the "Credentials" tab.
Callback URL vs. redirect_uri
The callback URL you specify when creating a SmartHQ app is referred to as the redirect_uri in the Identity and Access Management API specification. redirect_uri is an OAuth 2.0 term for the callback URL. Both refer to the same destination—where the end-user is redirected after authorization—and must be the exact same URL.
Authorization vs. Authentication¶
SmartHQ’s Identity and Access Management API endpoints handle authorization (granting your app permission to control end-users' devices). While the user does log in to SmartHQ to complete this authorization, the API is not intended to perform user authentication. This means your application should not rely on the Identity and Access Management API to sign in users to your application. You’ll still need your own login system or another OpenID Connect (OIDC) provider to allow users to sign into your application.
However, if your application would benefit from the ability to authenticate with SmartHQ, please contact us.
-
Here the user is automatically redirected to
GET /oauth2/authwith the same query parameters used in the originalGET /oauth2/registerrequest. ↩ -
SmartHQ includes the authorization code as part of the URL. ↩