Deauthorizing third-party apps that use Sonos API?

  • 25 September 2021
  • 9 replies
  • 113 views

I tried out https://speakerscenes.com/, just to see what the offering was. I’d now like to de-authorize this app (since it accesses my Sonos setup through the API). However, I don’t see any settings in my Sonos app, the Sonos website, or this third-party app. Any ideas or suggestions?


9 replies

Userlevel 7
Badge +22

Yeah when the Sonos auth stuff was rolled out we were promised there would be a way to un-link services that used it, but it never happened.

I believe you need to contact Sonos support directly for them to un-link it.

Hi,

 

Just been going through forums on this topic, This is effectively a very big security issue. 

As a developer anyone can create an APP or website enticing novice users to sign up to cloud solutions.

Sono’s business model is for those who want a plug and play system., The tech savies will have far more options vs those who want turn key solutions, i feel those who sign up to the cloud api solutions are realising too late the one way street.

Ultimately once the user gives authorisation, they don't have sight of who has authorised access.

App/Websites can swap hands, developer ethics could change, People forget.

Really don't understand why we can’t see on the APP or some kind of portal where each Authorisation has been given and if need be revoke the authorisation, This control should be in the hands of a User and not a helpdesk call to sonos.

To clarify how does a user even know over the last 2 years which providers they have chosen to give access to 😳

Sonos: Seriously this should go much higher up in the development roadmap, Helpdesk is not the solution.

I work in UK healthcare and value the privacy of patient data and the control elements that we need to plan for (Maybe thats why the current sonos approach shocked me)

Hope you read this but i see 3 years and still no progress, personally i stopped short when the Oath authorisation appeared and I immediately thought how to revoke, Most users wont and they will forget after trying  the novelty.

 

Although it’s understandably not a completely satisfactory solution, if you are concerned about cloud access to your system that you no longer want, couldn’t this be resolved by changing your Sonos account password.  Yes, you have to re-enter the password for whatever services you do want to maintain but it would stop unwanted access.

Personally, I am not terribly concerned about access.  Most of the apps/services I’ve used do not actually have access to Sonos through the cloud, but can only access Sonos while connected to my local WiFi network.  The exception being voice assistants.  Either way though,  Sonos is a music player, not access to personal health records.

Hi Danny,

Appreciate your take on it, its probably my OCD and looking at the broader scope creep scenarios and lack of Transparency for users.

The way i have used API keys previously is usually independent from password changes, i.e service providers can continue to access your devices irrespective of password changes, Oath 2.0 introduced features such as Auto revoke on password change but i don’t (Happy to be corrected) think thats what Sonos does.

Sonos only has only one api  playback-control-all

So future changes would be implemented in that API unless Sonos chooses to create a lower level API.

Previously as a single person i had no concerns, but as an older family man now i think I'm a little more cautious about the music system in my kids room, If you look at the API you can see its got a wide range of abilities, allowing approved cloud access in my carefree younger days to follow me.

Over time API’s can change as well as personal circumstances and what is Ok today might not be Ok tomorrow.

if the app showed me then great, but as it stands i have no visibility of those youthful decisions.

Thats transparency is what i see on my Alexa devices, My SmartThings and various other IOT devices. 

I’m just putting my thoughts out and these are my personal views that might not be shared by the majority. 

Don't think there is an easy solution today, Stuff like this is not sexy in the feature world so i get why its low on the agenda. Just hope someone at Sonos notes maybe its a action that should be revisited.

Userlevel 7
Badge +22

Although it’s understandably not a completely satisfactory solution, if you are concerned about cloud access to your system that you no longer want, couldn’t this be resolved by changing your Sonos account password.

I am not sure changing your password will help in this case. The token that the API client gets will remain valid after a password change as I recall. It might fail to refresh after the default expiration time runs out, but I can’t remember testing that case.

Sonos really should have a page listing all services associated with your account, and a way of deleting them. It is basic oauth2.

Thanks all. Per controlav’s earlier reply, I did reach out to Sonos support, and asked them to de-authorize any 3P apps that were using the API. Sadly, they said they couldn’t, and encouraged me to contact the app developer(s) directly. Problem is, the developer’s support email is no longer active. I emphasized to Sonos that [list of authorized 3P apps] should really be part of the My Account page. Alas.

Userlevel 7
Badge +20

I’ve avoided doing any development against the Sonos Cloud API until the facility to revoke API access is provided.

Userlevel 7
Badge +22

Thanks all. Per controlav’s earlier reply, I did reach out to Sonos support, and asked them to de-authorize any 3P apps that were using the API. Sadly, they said they couldn’t, and encouraged me to contact the app developer(s) directly. Problem is, the developer’s support email is no longer active. I emphasized to Sonos that [list of authorized 3P apps] should really be part of the My Account page. Alas.


That is a BS answer, does nothing for rogue integrations (or vanished integrators in your case). Suggest you ask on the developer email address listed here: https://developer.sonos.com/support/

Although it’s understandably not a completely satisfactory solution, if you are concerned about cloud access to your system that you no longer want, couldn’t this be resolved by changing your Sonos account password.

I am not sure changing your password will help in this case. The token that the API client gets will remain valid after a password change as I recall. It might fail to refresh after the default expiration time runs out, but I can’t remember testing that case.

Sonos really should have a page listing all services associated with your account, and a way of deleting them. It is basic oauth2.

 

I’ll take your word for it, as I am not familiar with oauth2 or any of the programing and standards around the API. As far as I know, the only cloud access to my system is via Google or Amazon, and I can remove access from their apps.  And I was pretty sure changing password would disable the access...but I don’t recall ever testing that theory.  I certainly have had other integration points between smart home products fail because of password changes though.

Reply