I've encountered a similar incident as described in this thread, but I wanted to document it again here for clarity and to see if there is any workaround within the Fitbit settings.

I'm using the <OAuth> component to allow for AWS Cognito logins in our app.  Our Cognito client also allow for Facebook logins, which requires an additional redirect.  When initiating the Facebook login or completing the Cognito login, the redirect fails on Android due to the state parameter containing a "#", e.g. 

[...]#Intent;scheme=fitbit;package=com.fitbit.FitbitMobile[...]

I had to copy this URL from my native browser to be able to find that that was the issue breaking the OAuth flow.  I expected other apps would experience a similar issue and looked at the Spotify app.  They end up escaping the state again in order to avoid this issue.  Once I encoded the state parameter server-side (prior to reaching the authorization endpoint), everything worked as intended.

I'm a little surprised that an OAuth server would have to go through the trouble of mutating the state parameter for everything to function as intended.  While I do have a solution to handle this, is there anything that can be done with the <OAuth> component or in the settings file to prevent the need for this additional server-side work?