OAuth2 Authentication using Brightscriot (Javascript)

I’m in the process of converting my application that displays WeatherFlow data on a TV using a ROKU streaming device to use OAuth2 for authentication. Currently it works, but uses a developer key hard-coded in the web call.

The language used by ROKU is basically Javascript with an add-on ultimately making it Brightscript.

I cannot get the HTTP POST parameters correct (I think that’s my problem). Regardless of what I’ve tried I get a 401 response (unauthorized).

A few questions:

  • Once I get the AUTHORIZATION CODE from the initial web call and it’s returned to my provided URL is there a time limit associated with the use of that AUTHORIZATION CODE?

  • Once that AUTHORIZATION CODE is used and “fails”, i.e. returns 401 (unauthorized), is it still usable and can be tried again?

  • Once this works and I get a TOKEN, I haven’t seen any examples about how to use the TOKEN. Are there any good examples somewhere?

  • Once it works does that TOKEN permit viewing any station data that is sharing publicly?

  • Just wondering if this is the best way to implement this type of authentication. My application is running on a ROKU streaming device that is not a web-browser. So that means I will need to present the AUTHORIZATION CODE to the user on a computer then have them input a 36 character alpha numeric string into a TV interface with a TV remote control. If this is the only option then that’s OK just making certain I don’t have other options?

In my attached example I have hard-coded the strings into the POST parameters for troubleshooting purposes, will convert to variables once working.

Thank you in advance !

Not sure I have definitive answers to everything, but here are some answers that I do know.

The token is like an API key - it works in exactly the same way. The only difference is that you pass token= in the URL query string, rather than api_key= The docs have some examples under Step 3 here: WeatherFlow Tempest API & Developer Platform

No, this is the key difference between an API key and a token. A token only allows access to stations owned by the user. If you want access to all publicly available stations, that required an enterprise agreement with WF.

I am not familiar with the backend capabilities of ROKU, but the idea with OAuth2 is that the user would log into their WeatherFlow account on their TV (using their TV remote), and your code would handle the fetching and exchange of an authorisation code for an access token in the background. If this is not possible, then you don’t need complicated code. Just get each user to enter a Personal Access Token using their TV remote (this will be a long alphanumeric character string) and use this as the access token. Read the last paragraph of Step 2 here: WeatherFlow Tempest API & Developer Platform

As an observation, when I add a channel to my Roku that requires authorisation, I am often presented with a URL address on the screen that I go to on my smartphone. I then log into the service on my smartphone, and that login procedure is auto-magically communicated to my Roku and it logs me in on my TV. I do not know how this is implemented, however.

1 Like