Hey there,
I'm fighting with this for the whole weekend and I'm running out of ideas.
I try to create a personal app to retrieve data from Microsoft and display them on my fitbit.
For this, I need to get an access token via a refresh token and then later use this access token to retrieve data for my personal user.
This is my code:
var formdata = new FormData();
formdata.append("client_id", "<client_id>");
formdata.append("refresh_token", "<refresh_token>");
formdata.append("client_secret", "<secret>");
formdata.append("grant_type", "refresh_token");
var requestOptions = {
method: 'POST',
body: formdata
};
fetch("https://login.microsoftonline.com/common/oauth2/v2.0/token?", requestOptions)
.then(response => response.text())
.then(result => console.log(result))
.catch(error => console.log('error', error));
The call to get a new access token fails though while the request works with curl, Postman, Python and NodeJS
Companion: {"error":"invalid_request","error_description":"AADSTS90023: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type.\r\nTrace ID: 26ee9e75-6832-4d39-9bbe-730a4807b600\r\nCorrelation ID: 1c6c2d50-66bb-4827-ad08-a24a455270c4\r\nTimestamp: 2021-05-09 21:07:57Z","error_codes":[90023],"timestamp":"2021-05-09 21:07:57Z","trace_id":"26ee9e75-6832-4d39-9bbe-730a4807b600","correlation_id":"1c6c2d50-66bb-4827-ad08-a24a455270c4"}
By inspecting requests and playing around with headers I figured out that header origin=null is set on a POST request executed in the companion, e.g. tested here with a call to a local API:
Host: localhost:5000
Connection: keep-alive
Content-Length: 830
Origin: null
Sec-Fetch-Dest: empty
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_16_0) AppleWebKit/537.36 (KHTML, like Gecko) FitbitOSSimulator/0.9.0 Chrome/80.0.3987.165 Electron/8.5.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3RzdLIweHmZyTbDd
Accept: */*
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB
Adding origin=null to the working requests in e.g. Python makes them fail the same way as via the companion. Is there any way to avoid the setting of origin? AFAIK the companion is run via a webview, which is probably causing all this, but I don't know if there's any way around this.
Because of this I'm not able to authenticate with Microsoft as it thinks it's a CORS request, even though actually it's coming from the "backend" in the companion and shouldn't have an origin set (as it e.g. works via NodeJS).
Any ideas on this?
Fitbit Developers oversee the SDK and API forums. We're here to answer questions about Fitbit developer tools, assist with projects, and make sure your voice is heard by the development team.
Best Answer