OH3: API calls with valid oauth token for cloud give 401

[RayBa82]

API calls for urls like https://myopenhab.org/rest/uuid with a valid token for the cloud result in a 401 json response { "error": { "message": "Authentication required", "http-code": 401 } }

calls for https://myopenhab.org/rest/items

do still work like before.

[digitaldan]

This is not myopenhab, but your OH3 instance returning this error. Authentication was added too many endpoints in OH3, including this one.

[RayBa82]

So it is just not possible to use those endpoints anymore? This is a serious design flaw, it should be possible to call those endpoints from the cloud with an authenticated user. The oauth authorization code flow is not working this way, there you have only a token for the cloud an no access to other authentication data.

[digitaldan]

Those endpoints are authenticated as you mention, and are useable through the cloud service, this is how the new UI is able to work through the cloud service.

here you have only a token for the cloud an no access to other authentication data.

OH3 can optionally use a separate header for just this use case, see https://github.com/openhab/openhab-webui/pull/328 , set the X-OPENHAB-TOKEN header instead of the Authorization header

[RayBa82]

Setting the oauth token additionally in the X-OPENHAB-TOKEN header does not work either. This gives: { "error": { "message": "Invalid credentials", "http-code": 401 } }

The Authentication header is required to authorize with oh cloud. So it is mandatory and must be present.

I have no clue how to call the API endpoints now

[digitaldan]

without more detail i can't really help. If you load up the OH3 UI through the cloud service, you can see the headers it's sending and how it's able to reach those endpoints.

[RayBa82]

I am using my own implementation of the google assistant integration. Scenario: Google is authorized via OAuth authorization code flow and gets an authentication token from openhabcloud. Google uses this token to send commands and queries to my google assistant implementation. Then my implementation uses this token to call the REST interface of the openhabcloud instance.

That means I only have the token from the authorization code flow and nothing more. With this token alone it is not possible to call the now protected endpoints anymore. It is just pure luck that the official google assistant integration does not call a protected API.

When turning the switch "Implicit user role for unauthenticated requests" under "Settings -> API Security" off not a single REST call does work anymore.

From my point of view it looks like the oauth design is broken, it now requires double authentication. It must be enough to be authenticated against oh cloud, the oh cloud -> oh client communication must be handled by oh cloud itself.

[RealDeuce]

I just had this same issue with OpenHAB 3.3 when trying to get Alexa to work through myOpenHAB. Setting org.openhab.io.openhabcloud log to TRACE, I would always get:

14:42:20.143 [TRACE] [.io.openhabcloud.internal.CloudClient] - {"error":{"message":"Authentication required","http-code":401}}
14:42:20.144 [TRACE] [.io.openhabcloud.internal.CloudClient] - Sent content to request 14892509
14:42:20.145 [DEBUG] [.io.openhabcloud.internal.CloudClient] - onComplete: 14892509
14:42:20.146 [DEBUG] [.io.openhabcloud.internal.CloudClient] - Jetty request 14892509 failed: HTTP protocol violation: Authentication challenge without WWW-Authenticate header
14:42:20.147 [DEBUG] [.io.openhabcloud.internal.CloudClient] - Response Failure: HTTP protocol violation: Authentication challenge without WWW-Authenticate header

When Alexa tried to discover items. Once I turned on Implicit user role for unauthenticated requests, it functioned as expected. I bashed my head against this one for a couple days before I found this thread.