As of March 28th, 2024, ecobee is no longer accepting new developer subscriptions, nor are existing developer accounts able to create new API keys. There is no ETA for when they will be allowed again. Existing API keys will continue to function.
Ecobee is no longer accepting new developer subscriptions, so an alternative to the transitional API-key based login flow is necessary.
Ecobee's official web pages uses a slightly different 'Auth0' login flow, which is able to produce Bearer tokens which can work with python-ecobee-api
If a cookie called auth0 is provided, then a response is returned which tries to automatically submit a form to the redirect_uri, containing the Bearer token and expiration. This needs to be parsed out of the response, because we cannot change the redirect_uri to something we control (it appears to be linked to the client_id)
A new auth0 cookie is always set, this cookie is necessary so that new Bearer tokens can be generated without needing user interaction (by simply calling this endpoint again)
If an auth0 cookie is not provided, then it redirects the user to login first. We can either open some kind of embedded web page, or we can just have the user steal an auth0 cookie from their browser.
Until its expiration, that Bearer token can be used the same as the token from the developer API. Note that there is no refresh token, you use the above API with the auth0 cookie in a similar manner.
If there are no objections to this approach, I plan to create a PR soon.
Ecobee is no longer accepting new developer subscriptions, so an alternative to the transitional API-key based login flow is necessary.
Ecobee's official web pages uses a slightly different 'Auth0' login flow, which is able to produce Bearer tokens which can work with
python-ecobee-api
This is fairly straightforward:
A request needs to be made to https://auth.ecobee.com/authorize?response_type=token&response_mode=form_post&client_id=183eORFPlXyz9BbDZwqexHPBQoVjgadh&redirect_uri=https://www.ecobee.com/home/authCallback&audience=https://prod.ecobee.com/api/v1&scope=openid%20smartWrite%20piiWrite%20piiRead%20smartRead%20deleteGrants
auth0
is provided, then a response is returned which tries to automatically submit a form to theredirect_uri
, containing the Bearer token and expiration. This needs to be parsed out of the response, because we cannot change theredirect_uri
to something we control (it appears to be linked to theclient_id
)auth0
cookie is always set, this cookie is necessary so that new Bearer tokens can be generated without needing user interaction (by simply calling this endpoint again)auth0
cookie is not provided, then it redirects the user to login first. We can either open some kind of embedded web page, or we can just have the user steal anauth0
cookie from their browser.Until its expiration, that Bearer token can be used the same as the token from the developer API. Note that there is no refresh token, you use the above API with the
auth0
cookie in a similar manner.If there are no objections to this approach, I plan to create a PR soon.