Cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PKCE not working for OAuthButton?

ANSWERED
I'm trying to use an OAuth Button to auth to Google. When I click the button and go through the auth flow, the settingsKey gets populated with this:
 
{\"redirectUrl\":\"https://app-settings.fitbitdevelopercontent.com/simple-redirect.html\",\"codeVerifier\":\"...\"} 
 
However, the onAccessToken function never gets called. I haven't actually used OAuth before, so maybe I'm just misunderstanding, but based on my reading of the Google docs and the PKCE RFC, the codeVerifier part needs to be exchanged for an actual token by POSTing it to https://www.googleapis.com/oauth2/v4/token.
 
I could roll my own request to exchange the code for an access token, but isn't the OAuthButton supposed to do this for me, provided that I set the pkce flag? The code for my button is:
 
        <Oauth
          settingsKey="gcalCreds"
          title="Google Calendar"
          label="Google Calendar"
          status="Connect"
          authorizeUrl="https://accounts.google.com/o/oauth2/v2/auth"
          requestTokenUrl="https://www.googleapis.com/oauth2/v4/token"
          clientId="..."
          clientSecret="..."
          scope="https://www.googleapis.com/auth/calendar.readonly"
          pkce=true
          onAccessToken={async (accessToken) => {
              console.log(accessToken);
          }}
        />
Best Answer
1 BEST ANSWER

Accepted Solutions

Looks like this works now! One of the Fitbit devs (Chapel in Discord) apparently fixed it recently.

View best answer in original post

Best Answer
6 REPLIES 6

It certainly looks correct.

 

Have you added this url to your Google oAuth settings?

 

https://app-settings.fitbitdevelopercontent.com/simple-redirect.html

Best Answer

Yup, that's in there:

 

gcal.png

 

I'm testing on iOS, if that makes a difference.

Best Answer
0 Votes

This evening I'm seeing different behavior. I updated to the latest developer firmware, but I assume that shouldn't make a difference with respect to the behavior of the Settings page on the device.

 

Now, my onAccessToken function is getting called. Maybe it was getting called before and I just didn't see it because it just showed up in the logging output as [object Object]. Or maybe it actually wasn't being called... I'm not sure. At any rate, I changed the logging to be more clear, and now I see that it is being called. However, this is what I'm getting back:

 

{"error":"invalid_request","error_description":"Invalid parameter value for redirect_uri: Missing scheme: undefined"}

So now I'm not even getting the "codeVerifier" bit that I was before. My best guess about this error is that it looks like the OAuthButton may not be populating the redirect_uri parameter in the request body, as described here?

Best Answer
0 Votes

Looks like this works now! One of the Fitbit devs (Chapel in Discord) apparently fixed it recently.

Best Answer

Are you going make your calendar app available in the Fitbit app.

Best Answer
0 Votes

I am currently also trying to achieve this and still get the same CORS error.

Did you change anything or did it just work out of the box?

 

Best Answer
0 Votes