feat(auth)!: Implement new OAuth device code grant flow (#478)

* feat(auth)!: Implement new OAuth device code grant flow

This commit introduces the new device code grant flow introduced
by Tado and required as of 2025-03-21.

The changes are highly based on python-tado, release 0.18.9
See: https://github.com/wmalgadey/PyTado/commits/0.18.9/

For more information about the change by Tado,
See: https://support.tado.com/en/articles/8565472-how-do-i-authenticate-to-access-the-rest-api

BREAKING CHANGE: Tado does not support password grant flow as authentication flow anymore.

* chore: uncomment useful call in example

* fix(auth): Create token file when absent to avoir errors

* chore: Update .env.template file

* fix(cli): Manage mutually exclusive cli arguments

* ci: Remove matric strategy on python versions

* ci: Remove matric strategy on python versions

* ci: Remove matric strategy on python versions

* fix(cli): Manage mutually exclusive cli arguments

* chore(lint): Ruff linter

* chore(lint): Yaml linter

* docs: Add page to explain what are why about new auth flow

* docs: Update tado generated jsonschemas

* docs: Update readme with warning banner

* ci: Disable unit tests job

---------

Co-authored-by: Arjan Vlek <[email protected]>

Author: germainlefebvre4

.env.template

@@ -1,3 +1,3 @@
-TADO_USERNAME=""
-TADO_PASSWORD=""
-TADO_CLIENT_SECRET="wZaRN7rpjn3FoNyF5IFuxg9uMzYJcvOoQ8QWiIqS3hfk6gLhVlG57j5YNoZL2Rtc"
+TADO_BRIDGE_AUTHKEY="Cg3Z"
+TADO_CREDENTIALS_FILE="/tmp/.libtado_refresh_token.json"
+# TADO_REFRESH_TOKEN="BIv81abc7wH-K1mnhr1KabcE4OigjabcRX29lkSVQabcIwbDh6Wabc6wqRTgU5d4"

.github/workflows/release-feat-dryrun.yml

@@ -96,11 +96,11 @@ jobs:
           poetry publish -r test-pypi
         if: needs.release.outputs.new_release_published == 'true'
 
-      # - name: Clean PyPi release
-      #   if: always()
-      #   run: |
-      #     poetry add pypi-cleanup
-      #     poetry run pypi-cleanup --host https://test.pypi.org --username $PYPI_CLEANUP_USERNAME --package libtado --do-it
-      #   env:
-      #     PYPI_CLEANUP_USERNAME: ${{ secrets.PYPI_TEST_USERNAME }}
-      #     PYPI_CLEANUP_PASSWORD: ${{ secrets.PYPI_TEST_TOKEN }}
+        # - name: Clean PyPi release
+        #   if: always()
+        #   run: |
+        #     poetry add pypi-cleanup
+        #     poetry run pypi-cleanup --host https://test.pypi.org --username $PYPI_CLEANUP_USERNAME --package libtado --do-it
+        #   env:
+        #     PYPI_CLEANUP_USERNAME: ${{ secrets.PYPI_TEST_USERNAME }}
+        #     PYPI_CLEANUP_PASSWORD: ${{ secrets.PYPI_TEST_TOKEN }}

.github/workflows/template_test.yml

@@ -6,7 +6,8 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: ["3.8", "3.9", "3.10", "3.11"]
+        python-version: ["3.11"]
+        # python-version: ["3.8", "3.9", "3.10", "3.11"]
         poetry-version: ["main"]
 
     steps:
@@ -29,7 +30,9 @@ jobs:
           export TADO_PASSWORD=$(echo $TADO_PASSWORD_B64 | base64 -d)
           poetry run pytest tests/api/test_api.py tests/api/test_tado.py
         env:
-          TADO_USERNAME: ${{ secrets.TADO_USERNAME }}
-          TADO_PASSWORD_B64: ${{ secrets.TADO_PASSWORD_B64 }}
-          TADO_CLIENT_SECRET: ${{ secrets.TADO_CLIENT_SECRET }}
+          # TADO_USERNAME: ${{ secrets.TADO_USERNAME }}
+          # TADO_PASSWORD_B64: ${{ secrets.TADO_PASSWORD_B64 }}
+          # TADO_CLIENT_SECRET: ${{ secrets.TADO_CLIENT_SECRET }}
           TADO_BRIDGE_AUTHKEY: ${{ secrets.TADO_BRIDGE_AUTHKEY }}
+          # TADO_REFRESH_TOKEN: ${{ secrets.TADO_REFRESH_TOKEN }}
+          TADO_CREDENTIALS_FILE: ${{ vars.TADO_CREDENTIALS_FILE }}

.github/workflows/test.yml

@@ -1,9 +1,9 @@
----
-name: Test
-on:
-  - pull_request
+# ---
+# name: Test
+# on:
+#   - pull_request
 
-jobs:
-  pytest:
-    uses: ./.github/workflows/template_test.yml
-    secrets: inherit
+# jobs:
+#   pytest:
+#     uses: ./.github/workflows/template_test.yml
+#     secrets: inherit

.pre-commit-config.yaml

@@ -37,10 +37,10 @@ repos:
       - id: poetry-lock
       - id: poetry-check
 
-#   - repo: https://github.com/python-poetry/poetry-plugin-export
-#     rev: 1.9.0
-#     hooks:
-#       - id: poetry-export
+      # - repo: https://github.com/python-poetry/poetry-plugin-export
+      #   rev: 1.9.0
+      #   hooks:
+      #     - id: poetry-export
 
   - repo: local
     hooks:

README.md

@@ -14,6 +14,15 @@ A library to control your Tado Smart Thermostat. This repository contains an act
 
 **The tested version of APIs is Tado v2.**
 
+## ⚠️ Breaking change in v4 ⚠️
+
+Starting the **21st of March 2025**, the Tado authentication workflow will definitely change to OAuth2 device code grant flow.
+
+Here is the link to the official announcement: [Tado Support Article - How do I authenticate to access the REST API?](https://support.tado.com/en/articles/8565472-how-do-i-authenticate-to-access-the-rest-api)
+
+Now, you have to use the `TADO_CREDENTIALS_FILE` or `TADO_REFRESH` variables to authenticate.
+You can find more documentation on how to authenticate in the [**Libtado - CLI Configuration**](https://libtado.readthedocs.io/en/latest/cli/configuration/) documentation.
+
 ## Installation
 
 You can download official library with `pip install libtado`.
@@ -26,53 +35,65 @@ git clone https://github.com/germainlefebvre4/libtado.git
 
 Please check out [https://libtado.readthedocs.io](https://libtado.readthedocs.io) for more documentation.
 
-## Preparation
+## Usage
 
-Retrieve the `CLIENT_SECRET` before running the script otherwise you will get a `401 Unauthorized Access`.
+Download the repository. You can work inside it. Beware that the examples assume that they can access the file `./libtado/api.py`.
 
-The latest `CLIENT_SECRET` can be found at [https://my.tado.com/webapp/env.js](https://my.tado.com/webapp/env.js).  It will look something like this:
+Define a location and filename that will hold the credentials (refresh token) of your Tado login.
 
-```js
-var TD = {
-    config: {
-        version: 'v588',
-        oauth: {
-          clientSecret: 'wZaRN7rpjn3FoNyF5IFuxg9uMzYJcvOoQ8QWiIqS3hfk6gLhVlG57j5YNoZL2Rtc'
-        }
-    }
-};
-```
+It is recommended to use a directory that only your application has access to, as the credentials file
+holds sensitive information!
 
-An alternative way to get your `CLIENT_SECRET` is to enable the Developper Mode when logging in and catch the Headers. You will find the form data like this :
+Now you can call it in your Python script!
 
-```yaml
-client_id: tado-web-app
-client_secret: fndskjnjzkefjNFRNkfKJRNFKRENkjnrek
-grant_type: password
-password: MyBeautifulPassword
-scope: home.user
-username: [email protected]
-```
+```python
+import libtado.api
+import webbrowser   # only needed for direct web browser access
 
-Then you just have to get the value in the attribute `client_secret`. You will need it to connect to your account through Tado APIs. The `client_secret` never dies so you can base your script on it.
+# TODO check
+t = api.Tado(token_file='/tmp/.libtado_refresh_token.json')
+# OR: t = api.Tado(saved_refresh_token='my_refresh_token')
 
-## Usage
+status = t.get_device_activation_status()
 
-Download the repository. You can work inside it. Beware that the examples assume that they can access the file `./libtado/api.py`.
+if status == "PENDING":
+    url = t.get_device_verification_url()
 
-Now you can call it in your Pyhton script!
+    # to auto-open the browser (on a desktop device), un-comment the following line:
+    # webbrowser.open_new_tab(url)
 
-```python
-import libtado.api
+    t.device_activation()
+
+    status = t.get_device_activation_status()
+
+if status == "COMPLETED":
+    print("Login successful")
+else:
+    print(f"Login status is {status}")
 
-t = api.Tado('[email protected]', 'myPassword', 'client_secret')
 
 print(t.get_me())
 print(t.get_home())
 print(t.get_zones())
 print(t.get_state(1))
 ```
 
+The first time, the script will tell you to login to your Tado account.
+
+It will show an output like:
+
+```raw
+Please visit the following URL in your Web browser to log in to your Tado account: https://login.tado.com/oauth2/device?user_code=1234567
+Waiting for you to complete logging in. You have until yyyy-MM-dd hh:mm:ss
+.
+```
+
+Complete your login before the time indicated.
+
+Afterwards, the script should print the information from your Tado home.
+
+If using the `token_file`, the next time you should not have to sign in.
+
 ## Examples
 
 An example script is provided in the repository as `example.py`.

check.py

@@ -4,12 +4,23 @@
 from dotenv import load_dotenv
 load_dotenv()
 
+TADO_REFRESH_TOKEN = os.environ["TADO_REFRESH_TOKEN"]
+TADO_CREDENTIALS_FILE = os.environ["TADO_CREDENTIALS_FILE"]
 
-TADO_USERNAME = os.environ["TADO_USERNAME"]
-TADO_PASSWORD = os.environ["TADO_PASSWORD"]
-TADO_CLIENT_SECRET = os.environ["TADO_CLIENT_SECRET"]
+tado = Tado(TADO_REFRESH_TOKEN, TADO_CREDENTIALS_FILE)
 
-tado = Tado(TADO_USERNAME, TADO_PASSWORD, TADO_CLIENT_SECRET)
+status = tado.get_device_activation_status()
+if status == "PENDING":
+    url = tado.get_device_verification_url()
+
+    tado.device_activation()
+
+    status = tado.get_device_activation_status()
+
+if status == "COMPLETED":
+    print("Login successful")
+else:
+    print(f"Login status is {status}")
 
 # print(tado.get_me())
 # print(tado.get_home())

docs/api/usage.md

@@ -5,7 +5,7 @@ Usage:
 ``` { .python .select .copy }
 import libtado.api
 
-api = tado.api('Username', 'Password')
+api = tado.api(token_file_path='/path/to/a/secure/folder/tado-credentials.json')
 ```
 
 For API Reference see [API Reference](../api/reference.md)

docs/cli/configuration.md

@@ -1,5 +1,9 @@
 # CLI Configuration
 
+!!! warning
+
+    The variables `TADO_USERNAME` and `TADO_PASSWORD` and `TADO_CLIENT_SECRET` are deprecated. Use `TADO_CREDENTIALS_FILE` or `TADO_REFRESH_TOKEN` instead.
+
 ## Configuration File
 
 There is no configuration file. No need.
@@ -8,9 +12,12 @@ There is no configuration file. No need.
 
 The following environment variables are supported:
 
-* `TADO_USERNAME` - Tado username
-* `TADO_PASSWORD` - Tado password
-* `TADO_CLIENT_SECRET` - Tado client secret
+* `TADO_CREDENTIALS_FILE` - Path to a file which holds your Tado credentials. Be careful: do not share this file with others.
+* `TADO_REFRESH_TOKEN` - Tado refresh token, from previous login. Valid for one-time use only.
+
+!!! note
+
+    The variables `TADO_CREDENTIALS_FILE` and `TADO_REFRESH_TOKEN` are mutually exclusive. If both are set, an error will be raised.
 
 Environment variables can be set up in multiples ways:
 

docs/cli/usage.md

@@ -13,16 +13,21 @@ Usage: tado [OPTIONS] COMMAND [ARGS]...
 
     This script provides a command line client for the Tado API.
 
-    You can use the environment variables TADO_USERNAME and TADO_PASSWORD
-    instead of the command line options.
+    You can use the environment variables TADO_REFRESH_TOKEN and
+    TADO_CREDENTIALS_FILE instead of the command line options.
+
+    The first time you will have to login using a browser. The command
+    will show an URL to perform the login.
+
+    If using the credentials-file option or variable, the login will
+    be stored so you don't have to do this next time.
 
     Call 'tado COMMAND --help' to see available options for subcommands.
 
 Options:
-    -u, --username TEXT       Tado username  [required]
-    -p, --password TEXT       Tado password  [required]
-    -c, --client-secret TEXT  Tado password  [optional]
-    -h, --help                Show this message and exit.
+    -f, --credentials-file TEXT   Full path to a file in which the Tado credentials will be stored and read from [optional]
+    -t, --refresh-token TEXT      A Tado refresh token, retrieved from prior authentication with Tado [optional]
+    -h, --help                    Show this message and exit.
 
 Commands:
     capabilities        Display the capabilities of a zone.

docs/faq.md

@@ -1,28 +1,18 @@
 # FAQ
 
-## How to retrieve the client secret
+## Why variables `TADO_USERNAME` and `TADO_PASSWORD` are not working anymore?
 
-### Option #1: Do nothing
+Starting the 21st of March 2025, the Tado authentication workflow will definitely change to OAuth2 device code grant flow.
 
-The library wil automatically retrieve the client secret on following the steps at *Options #2*.
+!!! info
 
-### Option #2: From the application `env.js`
+    Here is the link to the official announcement: [Tado Support Article - How do I authenticate to access the REST API?](https://support.tado.com/en/articles/8565472-how-do-i-authenticate-to-access-the-rest-api)
 
-Retrieve the `CLIENT_SECRET` before running the script otherwise you will get a `401 Unauthorized Access`. The latest `CLIENT_SECRET` can be found at \[<https://my.tado.com/webapp/env.js>\](<https://my.tado.com/webapp/env.js>). It will look something like this:
+The direction that Tado is taking is to enforce security and privacy by using OAuth2. This is a good thing, as it will prevent the need to store your username and password in plain text in your environment variables.
+But the consequences of that change are that library handles differently the authentication process.
 
-### Option #3: From the developer mode
+!!! warning
 
-An alternative way to get your `CLIENT_SECRET` is to enable the Developper Mode when logging in and catch the Headers. You will find the form data like this:
+    Now, you have to use the `TADO_CREDENTIALS_FILE` or `TADO_REFRESH` variables to authenticate.
 
-```json
-{
-    client_id: tado-web-app
-    client_secret: fndskjnjzkefjNFRNkfKJRNFKRENkjnrek
-    grant_type: password
-    password: MyBeautifulPassword
-    scope: home.user
-    username: [email protected]
-}
-```
-
-Then you just have to get the value in the attribute `client_secret`. You will need it to connect to your account through Tado APIs. The `client_secret` never dies so you can base your script on it.
+You can find more documentation on how to authenticate in the [**CLI Configuration**](./cli/configuration.md) section.

docs/getting-started/usage.md

@@ -3,15 +3,33 @@
 After you installed libtado you can easily test it by using the included [`cli`](../cli/usage.md) like this:
 
 ``` { shell .copy }
-tado --username USERNAME --password PASSWORD whoami
+tado --credentials-file /path/to/a/secure/folder/tado-credentials.json whoami
 ```
 
 To use the library in your own code you can start with this:
 
 ``` python
 import libtado.api
-t = tado.api('Username', 'Password')
-print(t.get_me())
+import webbrowser   # only needed for direct web browser access
+
+t = tado.api(token_file_path='/path/to/a/secure/folder/tado-credentials.json')
+
+status = t.get_device_activation_status()
+
+if status == "PENDING":
+    url = t.get_device_verification_url()
+
+    # to auto-open the browser (on a desktop device), un-comment the following line:
+    # webbrowser.open_new_tab(url)
+
+    t.device_activation()
+
+    status = t.get_device_activation_status()
+
+if status == "COMPLETED":
+    print("Login successful")
+else:
+    print(f"Login status is {status}")
 ```
 
 Check out `all available API methods <api>` to learn what you can to with libtado.

docs/index.md

@@ -12,7 +12,7 @@ hide:
   }
 </style>
 
-![Image title](./logo.png){: .center width=600 }
+![Libtado Logo](./logo.png){ .center width=400 style="display: block; margin-left: auto; margin-right: auto;" }
 
 **libtado** is a simple Python library that provides methods to control the smart heating devices from the German company [tado GmbH](https://www.tado.com)[^1]. It uses the undocumented REST API of their website.
 
@@ -22,7 +22,7 @@ The source code is hosted on [GitHub](https://github.com/germainlefebvre4/libtad
 
 ## License
 
-> Copyright &copy; 2023 Germain Lefebvre, Max Rosin
+> Copyright &copy; 2025 Germain Lefebvre, Max Rosin
 >
 > This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
 >