Tado outdated requests

Alsoff

This morning I received an email from Tado

"We have noticed a number of outdated requests for home data to the tado° cloud from your account. These requests are unlikely to have been generated by current versions of tado° apps or devices. If you have set up an open source or commercial home automation system not listed on our smart home integration page, or you are still using a very old version of the tado° app, please follow the instructions at the end of the email.  

These particular requests to our tado° servers use an outdated and insecure form of authentication. (In technical terms: these requests append the username and password as query parameters to each request, e.g. https://my.tado.com/api/v2/me?username=myUsername&password=myPassword)

Please note that this outdated form of authentication will soon stop working. We plan on disabling it on February 12th 2024."

I regularly use the Home Assistant integration with Tado (and can't remember using any other random apps) so does this mean Home Assistant will stop working with Tado next month?

pcone

I have Tado linked to my Home Assistant using the standard integration and not had this email. (https://www.home-assistant.io/integrations/tado/)

When did you set yours up? I wonder if you have an old integration?

Alsoff

Thanks pcone.

Thinking about it, I now remember trying to access the api using a browser when I was originally setting up the tado integration on home assistant. HA wasn't accepting my password and I wanted to verify URL escape codes for special characters. Hopefully it is just that they've found in a log somewhere.

huskycgn

I am running a python script getting temp data from tado and writing that into a database.

They do mention an article in that mail how to fix this:

https://support.tado.com/en/articles/8565472-how-do-i-update-my-rest-api-authentication-method-to-oauth-2

But I cant log into the auth-page they refer to: https://auth.tado.com/oauth/token

Neither does "public-api-preview" work, nor is my personal tado login working.

I dont know how to proceed from here.

Peter_Tado

This issue has been fixed in a recent HomeAssistant version (also compare https://github.com/home-assistant/core/issues/108773 for the same question there). If HomeAssistant is updated to at least version 2024.1 it should continue working as before.

@huskycgn you don't navigate to this page, but you have to do a programmatic REST request to that URL from your script with the respective parameters (client_id, username, ...).

huskycgn

https://community.tado.com/en-gb/discussion/comment/76888#Comment_76888

okay - how to get "Client ID" and "Client Secret" then?

I cant find that.

I am just using username and password as of now in the script.

Peter_Tado

You can find client id and client secret in the help article that's linked from the email 🙂 It shows the full request including client id (public-api-preview) and secret.

huskycgn

So...its the same Client ID and Client Secret for everyone?

huskycgn

Whoever googles their way to solve the problem, here is my working python code:

def get_tado_secret():

    endpoint = "https://auth.tado.com/oauth/token"
    client_id = "public-api-preview"
    client_secret = "4HJGRffVR8xb3XdEUQpjgZ1VplJi6Xgw"

    parameters = {
        "username": "your@mail.com",
        "password": "yourloginpasswordyouuseforweb",
        "client_id": client_id,
        "client_secret": client_secret,
        "grant_type": "password",
    }

    data = requests.post(url=endpoint, params=parameters).json()
    return data

As outlined by Peter, client_id and client_secret are constants.

Peter_Tado

Yes, exactly, happy you could solve it 😃