Content-Length: 191
User-Agent: SmartThings/1006 (iPhone; iOS 8.0.2; Scale/2.00)
X-ST-Client-OS: iOS 8.0.2
Connection: keep-alive
client_id=[DELETED]&client_secret=[DELETED]0&grant_type=password&
password=skeuomorphism&scope=mobile&username=scott.forstall@apple.comThe app uses the OAuth standard to submit the credentials and gain authorization. The
client_id and client_secret values submitted by the app are always the same, so they can be
considered public information. As expected, the combination of the username and password
fields needs to be correct. Once the user submits the right credentials, the graph.api.smart
things.com server will respond in the following way:
HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: application/json
Date: Fri, 17 Oct 2014 04:46:45 GMT
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 135
Connection: keep-alive
{
"access_token": "[DELETED]",
"expires_in": 1576799999,
"scope": "mobile",
"token_type": "bearer"
}The important token to note here is access_token, which the app will use to convince the
graph.api.smartthings.com server that it has authorization. Anyone who knows this token
can directly connect to the graph.api.smartthings.com server and impersonate the user. Note
that the unit of expires_in is seconds, so this value correlates to 18,250 days. In other words,
the access_token value is valid and will be accepted by graph.api.smartthings.com for 18,250
days, after which the user will be required to log in again.
The SmartThings app allows the user to specify multiple physical locations, such as home
and office, and manage devices within those locations. Figure 4-5 shows the app interface list-
ing a current location (Home) with the ability to add additional locations.
CHAPTER 4: BLURRED LINES—WHEN THE PHYSICAL SPACE MEETS THE VIRTUAL(^90) SPACE