help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Authorization Header is missing when fitbit hitting /Token endpoint in Authorization Code flow

‎08-29-2019 04:43

‎08-29-2019 04:43

In Oauth flow, fitbit suggested to give "https://app-settings.fitbitdevelopercontent.com/simple-redirect.html" in the redirect_uri, now code and state sent to this redirect_uri. After that /token endoint is initiated to exchange the code and get the access token, in this scenario Authorization Header is missing

 

Authorization Header
The Authorization header must be set to Basic followed by a space, then the Base64 encoded string of your application's client id and secret concatenated with a colon. For example, the Base64 encoded string, Y2xpZW50X2lkOmNsaWVudCBzZWNyZXQ=, is decoded as "client_id:client secret".

Best Answer
Labels:
0 Votes
5 REPLIES 5

‎08-29-2019 14:59

‎08-29-2019 14:59

Hi @Sandy111,

 

Welcome to the Forums!

 

Are you running into an error using the authorization code grant flow during the authorization process? If so, can you provide me with the error message you are seeing?

 

Hope to hear from you soon!

Best Answer
0 Votes

‎09-09-2019 02:59

In response to JohnFitbit

‎09-09-2019 02:59

Hi 

Best Answer
0 Votes

‎09-10-2019 06:58

In response to Sandy111

‎09-10-2019 06:58

Hi Sandy,

 

We support the syntax defined by the RFC 6749 specification.  The proper syntax for the Fitbit Web APIs is to have the Base64 encoded client ID and secret be passed with the Authorization Header.  The specification does not recommend passing the client ID and secret as body parameters.  Please review the specification

 

https://tools.ietf.org/html/rfc6749#section-2.3.1

 

You said the client ID and secret are going in the form body parameters.  Is this something you are purposely doing or your application is doing?   Can you show us an example of what you're observing?

 

Best,

Gordon

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
Best Answer
0 Votes

‎09-11-2019 05:04

In response to Gordon-C

‎09-11-2019 05:04

<Oauth
settingsKey="oAuth1"
title= "Login"
label={label}
status={status}
authorizeUrl="https://blahblah.com/Authorize"
requestTokenUrl="https://blahblah.com/OAuth/Token"
clientId="watchdev"
clientSecret="watchXXXX"
scope="All"

onAccessToken={async (data) => {
console.log('heloooooooooooooooooooooo');
console.log(JSON.stringify(data));
label = "You are logged in as " + props.settingsStorage.getItem('userName');

}}

/>

 

 

I am using the above code and redirect_uri is "https://app-settings.fitbitdevelopercontent.com/simple-redirect.html", this page is calling the token endpoint to our authentication server for the tokens. In this call Authorization Header is not received..

Best Answer
0 Votes

‎09-11-2019 06:38

In response to Sandy111

‎09-11-2019 06:38

Hi @Sandy111 

 

It's not exactly clear to me what you're trying to do.   It reads like you're calling your own authorization server expecting an authorization header from Fitbit to be returned.  It might be helpful if you could describe your architecture and how/where the Fitbit Web APIs are called.

 

The Authorization header is something your application needs to include when calling 

POST https://api.fitbit.com/oauth2/token

 

The value of the Basic token included in the Authorization header is the Base64 encoded string of your application's client id and secret concatenated with a colon.  You can get the client ID and secret from https://dev.fitbit.com/apps.

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
Best Answer
0 Votes