We would need some support on designing the auth & device setup flow for an organization model.
Our system's architecture is like:
mobile app ---> my server ---> particle cloud
The only direct communication between our custom app and the particle cloud is during device setup.
We want to avoid the user having to create a Particle.io account and at the same time we wish to have control of the devices from our server. From the docs the solution is to use a two-legged auth workflow. However I'm a bit confused about how device setup & the two-legged auth can work hand-in-hand
I'm planning to setup the following flow for device setup-
Customer opens product mobile app.
Put the particle device in listening mode.
ParticleDeviceSetupLibrary.init(this.getApplicationContext(), MyMainActivity.class);
The flow takes to the user to device setup screens via the API.
The API authenticates to Particle Cloud using OAuth credentials generated by me instead of showing up the Particle login/signup worflow.
To provide the ParticleCloud class with correct OAuth credentials for creating customers (so app users could create an account), read the instructions here ( link doesn't have anything ).
Study the documentation on how to implement two-legged auth. As it says there, “it is important that you understand the diagram very well.” It’s complex, but we’ve laid it out in the exact sequence of steps that must be taken to setup a device without the customer having a username and password to Particle.
Q1) Yes, feasible — study the two-legged auth implementation docs as mentioned above. Thank you too for pointing out the missing link. We’ll get that content added to the Android SDK docs soon.
Q2) Great question! So first, to pull apart the question into 2 pieces. First, how you get any info (claim code, access token, or otherwise) from your server to your app is entirely up to you; your app could, for example, hit a REST API endpoint on your server, which returns the info in the response. The second part of your question is in our hands though — once your Android app has the access token, how do you pass it to the Device Setup Library? This is a feature we’re working on right now. @jensck may have tips for you. We’ll update the docs when the feature is released to the Android SDK.
Q3) Your server will have seen the access token you passed to the app for the customer’s use, so yes, exactly as you say, your server could store and use that same token. Alternatively, you could use client credentials grant without scoping to a single customer to create a token that the server can use to query all of your products. Be extremely careful with such a token. More power & convenience server-side; also more danger.
Re: setup without creating Particle accounts, that feature is in the works now. I can’t quote API for you, but if you’ve had an easy enough time with the Android SDK/setup lib so far, this will be very simple to adapt to. (And if you haven’t had an easy time, I’d love to hear any feedback about your experiences!)
The second part of your question is in our hands though — once your Android app has the access token, how do you pass it to the Device Setup Library? This is a feature we're working on right now. @jensck may have tips for you. We'll update the docs when the feature is released to the Android SDK.
Thank you for the information. Since, step 4 onwards, the access token is needed for setting up the device. Not having the support yet implies that the Device Setup API SDK + 2 legged-auth flow implementation is not possible. Did I understand correctly? Could you please tell me when you would be supporting it?
In that case, could you please tell me what alternatives do we have apart from having to show the login page ?
Not having the support yet implies that the Device Setup API SDK + 2 legged-auth flow implementation is not possible.
Correct, this is not possible with the current versions of the device setup lib and cloud SDK. As Zachary mentioned, this feature is in development now, and will be available soon. If you need an immediate workaround, you could make a custom build of the cloud SDK; it wouldn't take too much to add a temporary hack to get the ParticleCloud class to accept an arbitrary token.
Could you please share the patch and the base code on which I should be applying it?
The only other is , If I do allow them to use a user/pass login, I would in that case need to re-claim the device to my own ‘admin’ account ( which would house other devices as well ) to be able to access it.
Also, another concern I have is:
For scenarios where the wifi password password change needs to be communicated to the photon, can the same documented workflow be implemented as is?
I am guessing steps 1 , 2 and 3 of the 2-legged auth docs need not be done.
This post has gotten stale, and pinging to see if there has been any progress? I propose adding the ability to kick off the device setup activity, passing the customer’s token and the product id as parameters. A signature like this: