Cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

1.0a to 2.0 User migration problems

Hello

 

I am working on migrating our internal company site to OAuth 2.0. I am trying to use the migration path to get the Oauth 2.0 refresh token for all currently registered uses but I am getting an Invalid authorization header error. One issue is that the application is registered by a developer that is no longer with the company so there is no real way for us to make sure the client id and secret are still valid. The application was in use (but not really supported) for the last few years until it suddenly stopped working on the 1st as a result of the oauth 1.0a to 2.0 change.

 

Below is my test code for getting the refresh token (using RestSharp in C#):

 

 

            var restClient = new RestClient("https://api.fitbit.com/oauth2/token");
            restClient.Authenticator = new HttpBasicAuthenticator("<client id>", "<client secret>");

            var request = new RestRequest(Method.POST);
            request.RequestFormat = DataFormat.Json;
            request.AddParameter("grant_type", "refresh_token");
            request.AddParameter("refresh_token", "<user auth token>:<user auth token secret>");

            var response = restClient.Execute(request);

 

 

And below is the error response:

{"errors":[{"errorType":"invalid_client","message":"Invalid authorization header. Client id invalid. Visit https://dev.fitbit.com/docs/oauth2 for more information on the Fitbit Web API authorization process."}],"success":false}

 

 

Any help is appreciated. I have already registered the site under my own account and am working on implementing the Oauth 2.0 fitbit association with the site for future inter-company competitions but as the current competition ends in about a month we would like to avoid having to have everyone associate their fitbits with the site again. for this competition.

Best Answer
0 Votes
3 REPLIES 3

@jwaller: Doing a quick Google search, it looks like HttpBasicAuthenticator is not what you should be using for the Authentication header. It does the equivalent of https://yourClientId:yourClientSecret@api.fitbit.com, which is not the same thing.

 

I haven't used RestSharp, but I think you need to do something like

restClient.AddHeader("Authorization", "Basic base64EncodedClientIdColonSecretHere")

 

Best Answer
0 Votes

Thanks for the response. I made the suggested change but am getting the same results. So I decided to try the new id and secret that I got from registering the site myself and it looks like it is authenticating with that. I am instead getting the "Invalid refresh token" error which I think is because the user is not associated with this new id and secret. I guess I should ask - is an old client id and secret still valid after Oauth 1.0a support was removed?

Best Answer
0 Votes

You can only use the client credentials of the client the access tokens were issued to. If you're getting an invalid refresh token error, then that means you should be setting the Authorization header.

 

To verify this, can you capture the HTTP request your application is making and send it to private support (since it will contain your client secret)? It's easier for us to help you debug your application by looking at the actual HTTP requests being made instead of your client code. You can use a tool like Runscope Traffic Inspector to do this. If you can't/don't want to do this, can you try to reproduce your HTTP request in cURL and send it to private support instead?

Best Answer
0 Votes