Miele 3rd Party API - Authorization

Authorization

Die Miele 3rd Party API supports the OAuth2 Authorization Code Grant Flow as shown in the simplified figure below.

The client application requests authorization to access the Miele 3rd Party API

Key	Explanation	Comment
`client_id`	The client ID you received after the registration
`response_type`	Indicates that your application expects to receive an authorization code
`redirect_uri`	Indicates the URI to return the user to after authorization is complete
`state`	A random string generated by your application, which you'll verify later	optional

The user authorizes access with user name, password and the name of the Miele subsidiary with which his Miele account is registered. For this purpose, the authorization server redirects the user to a special website. Here the user finally gives his explicit consent to use the API.

Key	Explanation	Comment
`e-mail`	The e-mail address belonging to the Miele user account
`password`	The corresponding password
`country`	The Miele subsidiary the Miele user account belongs to

The Authorization server redirects to the client application and is passing the authorization code

Key	Explanation	Comment
`code`	The server returns the authorization code in the query string
`state`	The server returns the same state value that you passed	optional

The client application is requesting an access_token by using the authorization code. In addition to the pure Oauth2 implementation, the additional parameter vg is necessary.

Key	Explanation	Comment
`client_id`	The client ID you received after the registration
`client_secret`	The client secret you received after the registration
`vg`	The code of the Miele subsidiary, your Miele account is registered to (e.g. de-DE, en-EN, nl-NL ...)
`code`	the authorization code returned by the authorization server before is complete
`grant_type`	The grant type for this flow is authorization_code
`redirect_uri`	Must be identical to the redirect URI provided in the original link

The Authorization server returns the access token

Key	Explanation	Comment
`access_token`	The access_token for the subsequent API calls
`refresh_token`	The refresh_token to refresh the access_token before it becomes invalid
`token_type`	The type of the access_token	always BEARER
`expires_in`	The period of validity of the tokens in seconds

The client application has to use the access_token for all subsequent API calls

Key	Explanation	Comment
`access_token`	The access_code for the every single API call

The Resource Server returns the requested resources