07-21-2023 02:21
07-21-2023 02:21
I am developing an Android app where I use Fitbit to show sleep data to users.
At some point I was retrieving data from Fitbit API with no problems, but now I noticed that the login no longer works. Redirect happens correctly and I get the authorization code and state. When I try to exchange these for access and refresh tokens, I get this error:
{"errors":[{"errorType":"invalid_client","message":"Invalid authorization header format. The header was not recognized to be a valid header for any of known implementations or a client_id was not specified in case of a public client Received header = null. Visit https://dev.fitbit.com/docs/oauth2 for more information on the Fitbit Web API authorization process."}],"success":false}
I also tried to debug this with the help of the troubleshooting guide on the website https://dev.fitbit.com/build/reference/web-api/troubleshooting-guide/oauth2-tutorial , but the website also returns the same error. I also tried to change my values (code challenge, state etc.) to be the same as on the site and still the same error occurs.
Here is the POST request I am sending (I redacted the values):
POST https://api.fitbit.com/oauth2/token
Body : client_id=CLIENT_ID&code=AUTH_CODE&code_verifier=CODE_VERIFIER&redirect_uri=REDIRECT_URL&grant_type=authorization_code
Headers : (1)
Content-Type : application/x-www-form-urlencoded
I have been searching for days for an answer to this and can not seem to find one. Am I missing something? I feel like it's weird that I even get the same error when trying it with the troubleshooting tool on the website so has something changed?
Answered! Go to the Best Answer.
07-24-2023 08:31
07-24-2023 08:31
Hi @Snowwhitee
Would you please provide your authorization URL (i.e. https://www.fitbit.com/oauth2/authorize) so I can see what parameters and the values are being used when someone consents to your application? I'll also try to consent to your application to see if I can replicate the problem.
Thanks!
Gordon
07-24-2023 08:31
07-24-2023 08:31
Hi @Snowwhitee
Would you please provide your authorization URL (i.e. https://www.fitbit.com/oauth2/authorize) so I can see what parameters and the values are being used when someone consents to your application? I'll also try to consent to your application to see if I can replicate the problem.
Thanks!
Gordon
07-24-2023 09:13
07-24-2023 09:13
The authorization URL is: https://www.fitbit.com/oauth2/authorize?client_id=CLIENT_ID&response_type=code&redirect_uri=REDIRECT...
I sent CLIENT_ID and REDIRECT_URL to you as personal message
07-24-2023 10:10
07-24-2023 10:10
Thank you! When you exchange the authorization code for the access token and refresh token using the /oauth2/token endpoint, are you providing the authorization header along with the Basic token? For example
POST https://api.fitbit.com/oauth2/token Authorization: Basic QUJDMTIzOkRFRjQ1Ng== Content-Type: application/x-www-form-urlencoded client_id=ABC123&code=<authorization_code>&code_verifier=<code_verifier>&grant_type=authorization_code
07-24-2023 10:23 - edited 07-24-2023 10:26
07-24-2023 10:23 - edited 07-24-2023 10:26
Currently, no I am not. I though it was not needed for client type application, the request I'm making is posted on the original message I posted. Also, I did try it with adding a header like described on the documentation, which is Authorization: Basic [base64encodedString(CLIENT_ID:CLIENT_SECRET)] but it still returned the same error. Additionally, the code I have has been working earlier last week even though I did not have the authorization header with the basic token in the exchange request.
07-26-2023 10:26
07-26-2023 10:26
You are correct. Is your application type set to "client" or "server" at https://dev.fitbit.com/apps?
07-26-2023 11:37 - edited 07-26-2023 11:47
07-26-2023 11:37 - edited 07-26-2023 11:47
Ugh. Apparently when debugging the issue I changed it to 'server' and thought I changed it back to 'client' but it was still set to 'server'. So the issue resolved by changing the application type. Sorry for the trouble! I don't know where the original issue came from though, because I didn't make the change until I received the error and was trying out different things to resolve it.
But it's working now!