Solved: PKCE not working for OAuthButton?

mlindgren · ‎10-02-2017

I'm trying to use an OAuth Button to auth to Google. When I click the button and go through the auth flow, the settingsKey gets populated with this:

{\"redirectUrl\":\"https://app-settings.fitbitdevelopercontent.com/simple-redirect.html\",\"codeVerifier\":\"...\"}

However, the onAccessToken function never gets called. I haven't actually used OAuth before, so maybe I'm just misunderstanding, but based on my reading of the Google docs and the PKCE RFC, the codeVerifier part needs to be exchanged for an actual token by POSTing it to https://www.googleapis.com/oauth2/v4/token.

I could roll my own request to exchange the code for an access token, but isn't the OAuthButton supposed to do this for me, provided that I set the pkce flag? The code for my button is:

        <Oauth
          settingsKey="gcalCreds"
          title="Google Calendar"
          label="Google Calendar"
          status="Connect"
          authorizeUrl="https://accounts.google.com/o/oauth2/v2/auth"
          requestTokenUrl="https://www.googleapis.com/oauth2/v4/token"
          clientId="..."
          clientSecret="..."
          scope="https://www.googleapis.com/auth/calendar.readonly"
          pkce=true
          onAccessToken={async (accessToken) => {
              console.log(accessToken);
          }}
        />

mlindgren · ‎10-22-2017

Looks like this works now! One of the Fitbit devs (Chapel in Discord) apparently fixed it recently.

View best answer in original post

JonFitbit · ‎10-03-2017

It certainly looks correct.

Have you added this url to your Google oAuth settings?

https://app-settings.fitbitdevelopercontent.com/simple-redirect.html

mlindgren · ‎10-03-2017

Yup, that's in there:

I'm testing on iOS, if that makes a difference.

mlindgren · ‎10-03-2017

This evening I'm seeing different behavior. I updated to the latest developer firmware, but I assume that shouldn't make a difference with respect to the behavior of the Settings page on the device.

Now, my onAccessToken function is getting called. Maybe it was getting called before and I just didn't see it because it just showed up in the logging output as [object Object]. Or maybe it actually wasn't being called... I'm not sure. At any rate, I changed the logging to be more clear, and now I see that it is being called. However, this is what I'm getting back:

{"error":"invalid_request","error_description":"Invalid parameter value for redirect_uri: Missing scheme: undefined"}

So now I'm not even getting the "codeVerifier" bit that I was before. My best guess about this error is that it looks like the OAuthButton may not be populating the redirect_uri parameter in the request body, as described here?

mlindgren · ‎10-22-2017

Looks like this works now! One of the Fitbit devs (Chapel in Discord) apparently fixed it recently.

DCFYI411 · ‎12-28-2017

Are you going make your calendar app available in the Fitbit app.

ChristianDi · ‎04-20-2019

I am currently also trying to achieve this and still get the same CORS error.

Did you change anything or did it just work out of the box?

Join us on the Community Forums!

Community Guidelines

Learn the Basics

Join the Community!

Not finding your answer on the Community Forums?

Go to the Help Site

Contact Support

PKCE not working for OAuthButton?

mlindgren

mlindgren

JonFitbit

mlindgren

mlindgren

mlindgren

DCFYI411

ChristianDi