[Netatmo] oAuth token refresh process evolutions

[clinique]

Authentication update

Dear Netatmo developer,

As of today, when you refresh an Access Token using the associated endpoint https://api.netatmo.com/oauth2/token, Netatmo servers respond with a couple of tokens : an Access Token and a Refresh Token.

If the previous Access Token is still valid, the newly returned access token is identical but its expiration time is extended for 3 hours.

In any case, the refresh token is not renewed.

Starting from the 17/04/2023, this behavior will change to to be compliant with the recommendations of the RFC of the OAuth2 Authorization Framework (section 10.4) and improving the security of the data of our users.

When refreshing tokens, Access Token and Refresh Token will be automatically renewed and former tokens invalidated.

What does it means for me ?

If you were already updating the tokens provided when refreshing your tokens, this change will not impact you.

If you do not update the refresh token when refreshing your Access Token, your users will be disconnected after 3 hours as the former tokens will become invalidated.

To fix it, you need to update the tokens as soon as you get the newly generated ones.

Sincerely,

Legrand - Netatmo - Bticino

[openhab-bot]

This issue has been mentioned on openHAB Community. There might be relevant details there:

https://community.openhab.org/t/netatmo-api-changes/145002/4

[clinique]

From what I see in the code, once generated for the first time, the refreshToken is stored in configuration and never updated again.
A change in the binding will be implemented to store new value of the refreshToken when provided by the API.
This change will be implemented for current OH4 branch and will have to be backported to OH3.x.