Cancel
Showing results for 
Search instead for 
Did you mean: 

PKCE not working for OAuthButton?

SOLVED
I'm trying to use an OAuth Button to auth to Google. When I click the button and go through the auth flow, the settingsKey gets populated with this:
 
{\"redirectUrl\":\"https://app-settings.fitbitdevelopercontent.com/simple-redirect.html\",\"codeVerifier\":\"...\"} 
 
However, the onAccessToken function never gets called. I haven't actually used OAuth before, so maybe I'm just misunderstanding, but based on my reading of the Google docs and the PKCE RFC, the codeVerifier part needs to be exchanged for an actual token by POSTing it to https://www.googleapis.com/oauth2/v4/token.
 
I could roll my own request to exchange the code for an access token, but isn't the OAuthButton supposed to do this for me, provided that I set the pkce flag? The code for my button is:
 
        <Oauth
          settingsKey="gcalCreds"
          title="Google Calendar"
          label="Google Calendar"
          status="Connect"
          authorizeUrl="https://accounts.google.com/o/oauth2/v2/auth"
          requestTokenUrl="https://www.googleapis.com/oauth2/v4/token"
          clientId="..."
          clientSecret="..."
          scope="https://www.googleapis.com/auth/calendar.readonly"
          pkce=true
          onAccessToken={async (accessToken) => {
              console.log(accessToken);
          }}
        />
Accepted Solution
0 Votes
1 ACCEPTED SOLUTION

Accepted Solutions

Looks like this works now! One of the Fitbit devs (Chapel in Discord) apparently fixed it recently.

Accepted Solution
4 REPLIES

It certainly looks correct.

 

Have you added this url to your Google oAuth settings?

 

https://app-settings.fitbitdevelopercontent.com/simple-redirect.html

Accepted Solution

Yup, that's in there:

 

gcal.png

 

I'm testing on iOS, if that makes a difference.

Accepted Solution
0 Votes
Highlighted

This evening I'm seeing different behavior. I updated to the latest developer firmware, but I assume that shouldn't make a difference with respect to the behavior of the Settings page on the device.

 

Now, my onAccessToken function is getting called. Maybe it was getting called before and I just didn't see it because it just showed up in the logging output as [object Object]. Or maybe it actually wasn't being called... I'm not sure. At any rate, I changed the logging to be more clear, and now I see that it is being called. However, this is what I'm getting back:

 

{"error":"invalid_request","error_description":"Invalid parameter value for redirect_uri: Missing scheme: undefined"}

So now I'm not even getting the "codeVerifier" bit that I was before. My best guess about this error is that it looks like the OAuthButton may not be populating the redirect_uri parameter in the request body, as described here?

Accepted Solution
0 Votes

Looks like this works now! One of the Fitbit devs (Chapel in Discord) apparently fixed it recently.

Accepted Solution