Hi @Gordon-C, thanks for the response.

Here is the URL:

https://www.fitbit.com/oauth2/authorize?scope=activity+profile+heartrate+settings+social+weight+loca...

Thanks!

For clarification, are you getting the error message instead of the scope page being displayed, or does the error message occur when the user enables the scopes and presses the "Apply" button?

@Gordon-C, after filling username / password and login, the user gets the error message instead of scope / permission page.

@Gordon-C, any idea about the above problem?

There could be a few things that are causing the error message

1. the redirect url in your authorize string needs to exactly match the URL in the dev.fitbit.com settings

2. in the authorization string you provided, 

redirect_uri=https://www.lfconnect.com/lfservice/third_party_apps_auth/source=Web&target=Fitbit

it looks like you have an "&" in it.  Since & are used to denote separation between the URL parameters, the & in your string could be thinking the redirect URL is shorter than it actually is.  Can you change your redirect URL so it doesn't contain the &

3. Lastly, I see you have the parameter "state" but no value.  I would recommend removing it.

Thanks, @Gordon-C!

You are right about the "&" in redirect_uri. After login, the redirect_url is carried-forward unescaped.

We're using the redirect_uri with "&" for quite some time without any issue. Is it possible for Fitbit to support it again?

Hi @rwinata 

We're looking into the reason why you no longer can include an & in the redirect_uri.

Gordon

@rwinata How is this problem impacting your application?   Are you able to use the workaround of not using an & in the redirect_uri parameter?

@rwinata One other question for you, when the application executes the /oauth2/authorize endpoint and the user is not logged in, the user should be prompted to log into their fitbit.com account.  Would you please send me a screen shot of the login page and the URL?   Once they log in, does the user get the error?

> How is this problem impacting your application?   Are you able to use the workaround of not using an & in the redirect_uri parameter?

Currently, our users can't enable the Fitbit sync in our app. We investigated and tested passing the URL without ampersand and it's confirmed to be the cause. There's no simple workaround at this moment because we need to redesign the URL to use not more than 1 parameter.

1. Login page:

https://accounts.fitbit.com/login?targetUrl=https%3A%2F%2Fwww.fitbit.com%2Flogin%2Ftransferpage%3Fre...

2. After login

https://www.fitbit.com/oauth2/authorize?client_id=2294JP&redirect_uri=https://www.lfconnect.com/lfse...

Hi @rwinata 

We have isolated a problem when using parameters in the callback URL and we are working on a fix.  I'll try to find out when the fix will be available in production.

Gordon

Glad to hear that, @Gordon-C. Thank you!

We are seeing the same issue regarding the error message but have no special chars in the redirect URI at all.  Our app was working fine a few days ago and now it is failing.  We are able to login via the OAuth screen but are presented with the invalid redirect URI before we get redirected to your authorize screen.  This seems to only be an issue with our mobile applications at this time. Our web version is not having this issue.

Our Redirect URI is: https://www.<host>.com/service-auth

Is this a known issue?

Thanks!

Hi @angelir 

Would you please post your entire /oauth2/authorize URL?

Hi @Gordon-C ,

Here is the url with the client and host removed.  The client is our fitbit clientId.  Again, this has not changed on our end for quiet some time.

https://www.fitbit.com/oauth2/authorize?client_id=<removed>&redirect_uri=https://www.<removed>.com/s...

I appreciate your attention to this!

Thanks,

Rob

Hi @angelir 

I'm not able to reproduce the error message with your authorization URL.  Is the redirect URL specified in your authorization URL, the same as what is defined in dev.fitbit.com?    They need to match.

Gordon

@Gordon-C, do you have ETA for the fix?