Overview

How can your service users and ThinQ device users be integrated? How can your service get authorization from users to access and use their data on the ThinQ Platform? For all this and more, the LG EMP provides you with an API based on the OAuth 2.0 standard.

What is LG EMP?

The LG Electronics Enterprise Membership Platform (EMP) is a member management platform providing services related to LG Electronics. The EMP enables you to log in with LG account, or a 3rd party account linked with the LG account, and use the services provided by LG Electronics or LG Electronics partners.

Key Features

The EMP provides an authorization framework based on the Authorization Code Grant Type over various methods of the OAuth 2.0 standard. Your service can request the followings by calling APIs provided by the EMP.

  • Web login linked to an LG account
  • Issuance of access tokens and refresh tokens
  • Re-issuance of access tokens

Authorization Code Grant Type

The EMP uses Authorization Code Grant Type over various methods of the OAuth 2.0 standard. This method is mainly used for applications that run on a web server, such as your service, and includes interaction with a web browser (user agent). If the service requests a login process from the EMP, the EMP redirects the user to the login page. Once the login has been completed, the EMP redirects the user's web browser to the promised redirect URI. At that time, the redirect URI includes an authorization code.

Using the code, the service can obtain an access token on request from EMP, and then access the user resources by presenting the token.

Benefits

The EMP provides the following benefits for ThinQ service users and providers.

  • Service user
    • Once you register your device on the ThinQ app, you can use various services provided by LG Electronics or LG Electronics partners.
  • Service provider
    • You can provide services to ThinQ device users worldwide by linking services with the EMP and the ThinQ Platform.

emp_benefit

 

Basic Concept

Let's assume that you provide a service to control an air conditioner. What process is required before a ThinQ air conditioner can be used?

EMP_overall-diagram 

A. Registering the air conditioner on the ThinQ Platform (User/LG ThinQ app)

  1. The user registers and logs into an account linked to an LG account.
  2. The user registers the air conditioner.

→ The user's air conditioner is registered on the ThinQ Platform.

B. Service login and access token issuance (User/Service/LG EMP)

  1. The user requests to log in to the service.
  2. The service requests the login process from the EMP. (→ The EMP redirects the user to a secure login page, and prompts the user to log in.)
  3. The user logs in. (→ The EMP returns the user to the service and issues an authorization code.)
  4. The service sends the authorization code to the EMP and requests an access token.
  5. The EMP issues an access token to the service.

→ The service receives an access token from the EMP.

C. Air conditioner control (User/Service/LG ThinQ Platform)

  1. The user sends a request to the service to control the air conditioner.
  2. The service sends a request to the ThinQ Platform to control the air conditioner. Upon request, the service needs to send an access token issued by the EMP.
  3. The ThinQ Platform communicates with the EMP to check the following:
    • Which user is making the request?
    • Is the access token valid? (Has the unexpired token been authorized by the corresponding user?)
  4. If the access token is valid, the ThinQ Platform controls the air conditioner and sends the results to the service.
  5. The service then provides the result to the user.

→ The service sends a request to the ThinQ Platform to control the user's air conditioner with an access token.

Interaction Between Service, EMP, and ThinQ Platform

The above procedure can be explained briefly in the terms of service.

  1. The service requests the following to the EMP.
    • The service requests the login process so that a user can log in to the service.
    • If the user logs in, the service receives an access token from the EMP.
  2. The service requests the ThinQ Platform to perform a task related to the user's device. Upon request, the service needs to send an access token issued by the EMP.
    • E.g.) Tasks that can be requested from the ThinQ Platform through the ThinQ Connect API
      • Retrieve the list of devices registered by a user.
      • Retrieve the current status of the air conditioner (e.g., retrieve the target temperature).
      • Send a control command to the air conditioner (e.g., increase the air conditioner temperature by 1 degree).
      • Subscribe to push notifications for the air conditioner (e.g., a filter replacement notification).

Basic Workflow 

Interaction between the service and the EMP follows the OAuth 2.0 protocol.

OAuth 2.0 Protocol

OAuth 2.0 Basic

The following four roles are required to configure the OAuth 2.0 protocol.

  • Resource owner (user) 
    • The authority that grants permission to use its resources protected on the resource server
    • This refers to the application user.
  • Application
    • Requests authorization from the authorization server and is issued an access token. And then, it presents an access token to the resource server and requests resources from the resource owner.
    • This refers to applications in general, your service being one of them.
  • Authorization server
    • Authenticates that an application has been authorized by the resource owner, and issues an access token to the application.
  • Resource server
    • Provides user resources to applications.
    • Only when an application sends a request with a valid access token is the request accepted. It will then provide the user's resources to the application.

These interact with each other according to the following basic flow.

  1. Request authorization
    • An application requests authorization from the resource owner (user). 
  2. Grant Authorization
    • When a user approves the authorization, the application is granted with authorization.
  3. Request Access token with Authorization Grant
    • The application requests an access token from the authorization server with granted authorization.
  4. Issue Access Token
    • The authorization server issues an access token to the application.
  5. Request Protected Resource with Access Token
    • The application requests the user's resources from the resource server by presenting the access token.
  6. Serve Protected Resource
    • If the access token is valid, the resource server provides the application with the user's resources.

EMP Basic Workflow

Let's use the OAuth 2.0 protocol for your situation. What are your services? What roles do the EMP and the ThinQ Platform play?

emp_basic-workflow

OAuth 2.0

Service/ EMP/ ThinQ Platform

Description

Application

Service (Partner Server)

  • Your service

Resource Owner
(User)

User

  • An owner of ThinQ device and service user
  • Registers a device in the ThinQ App and authorizes the service to use the device data.

Authorization Server

EMP (LG Server)

  • Authenticates that the service has been authorized by the user and issues an access token.

Resource Server 

ThinQ Platform (LG Server)

  • A server that provides the user's resources (ThinQ device data, etc.) to the service.
  • Performs the requested action only if the service requested it with a valid access token.

ThinQ Platform

A platform that encompasses a wide range of technologies related to LG ThinQ devices such as AI/IoT/Cloud, consisting of multiple complex servers. It provides various APIs (Application Programming Interfaces) for LG partner services that work with ThinQ devices. For example, a partner service can use the ThinQ Connect APIs to request the following actions:

  • User's device list inquiry
  • Device status inquiry
  • Device Control
  • Device push notification subscription/unsubscription, etc.

The basic flow is as follows:

Request Authorization

Your service asks the user for permission to use the user's device registered on the ThinQ Platform.

  • The service requests a login from the EMP.
  • The EMP redirects the user's web browser (user agent) to the login URI and offers the login to the user.

Grant Authorization

If the user logs in, your service is authorized by the EMP.

  • The user logs in.
  • The EMP redirects the user's web browser to the redirect URI previously provided by the service.
  • An authorization code is issued to the service.

Request Access token with Authorization Grant.

Your service requests an access token from the EMP using the authorization code issued by the EMP.

  • The service extracts an authorization code from the redirect URI returned by the EMP.
  • The code is sent to the EMP to request an access token.

Issue Access Token

The EMP issues an access token to your service.

  • The EMP verifies the verification code.
  • An access token is issued to the service.

Request Protected Resource with Access Token

Your service presents an access token and requests the ThinQ Platform to perform a task linked to the user's device. (e.g., increase air conditioner temperature by 1 degree.)

  • The service must pass on an access token as a parameter when calling the ThinQ Platform API.

Serve Protected Resource

If the access token is valid, the ThinQ Platform interacts with the air conditioner to execute a command, then replies with the result to your service.

  • The ThinQ Platform communicates with the EMP to verify that the access token is valid.
  • If the token is valid, the ThinQ Platform carries out the request and replies with the result.

How to Develop with EMP?

Development Process

You can carry out development by linking your service (app) with the EMP as follows:

1. Discussion on how to link the EMP

First, discuss with your LG representative how your service should be linked with the EMP. They will provide more information pertaining to your situation and needs.

2. Issuance of an EMP App Key 

Request that your LG representative issue an App Key for your service, and get the information you need.

App Key

An identifier used by the EMP to identify and authorize a service (app), also known as client_id.

3. Development linked with the EMP

Please refer to the documents provided on the developers site, as well as information provided to you by your LG representative, to develop and link your service with the EMP.

EMP sign-in methods can be broadly divided into the following:

  • When signing in with an LG account
  • When signing in with a third-party account 
    • When using EMP web sign-in
    • When using an App SDK provided by a third party
When signing in with an LG account
  1. Your service (app) enters the EMP sign-in page by calling an EMP API.
  2. A user signs in by entering an ID/password for the LG account.
  3. 사용자는 LG계정의 ID/PW를 입력하여 로그인합니다.
  4. The EMP returns an authorization code of the sign-in user to your service (app).
  5. The service (app) receives an access token with the authorization code.
When signing in with a third-party account 
1) When using EMP web sign-in

This method uses the EMP Front to process both the authentication of a third-party account and the EMP sign-in.

Supported Accounts

Only the following third-party accounts are supported.

  • Google Account
    • Use the Chrome Custom tab recommended by Google or use the SFSafariViewController. Do NOT use the WebView.
  • Facebook Account
  • Amazon Account 
  • Naver Account (Only allowed within South Korea) 
  1. Your service (app) enters the EMP sign-in page by calling an EMP API.
  2. A user selects the type of a third-party account to be used for sign-in.
  3. The EMP requests an authentication page for the third-party account type selected by the user.
  4. The user enters the ID/password for the third-party account to sign in.
  5. Once the authentication is complete, the EMP returns an authorization code.
  6. The service (app) receives an access token with the authorization code.
2) When using an App SDK provided by a third party

This method allows a user to sign in with a third-party account through a third-party App SDK.

LG Electronics is not responsible for any problem caused by 3rd party-dependent changes (e.g., account policy change, API version change, terminal OS update, etc.), and you need to perform the correction and verification in the service (app).

Supported Accounts

Only the following third-party accounts are supported.

  • Google Account  
  • Facebook Account
    • You need to register your service (app) on the Facebook developer site and request the EMP a business group.
  • Naver Account (Only allowed B2C services (apps) operating in South Korea )
    • You need to receive approval from Naver, as Naver does not officially support business grouping. 

Refer to the following to carry out the development.

  1. Share with your LG representative the information on the third-party SDK that you want to use.
  2. Implement a third-party authentication process by using the SDK and documentation provided by the third party.
  3. For EMP sign-in linkage, refer to the following or get guidance from your LG representative.

E.g., Using Google - App SDK

  1. The service (app) calls the EMP API ({EMPBaseURL}/authorize) and enters the EMP Front UI.
  2. On the EMP Front UI (empsign_in), a user clicks the Google Sign-in button. Then the following values are returned as callback_url of the service (app).
    • returnCode = 910 
    • returnDescription = confirm_ggl 
  3. Once the service (app) receives the returned values, it closes WebView and uses the Google App SDK to perform Google authentication.
  4. Once Google authentication is complete, the service (app) calls the EMP Front UI (empsign_in) page again. At this time, the following information is included in the header. 
    • user_id_type = GGL
    • user_id = Google ID of the user 
    • user_thirdparty_token = A token issued by Google
  5. If the authentication is valid, the EMP issues an authorization code. 
  6. The service (app) receives an access token with the authorization code.