08-29-2019 04:43
08-29-2019 04:43
In Oauth flow, fitbit suggested to give "https://app-settings.fitbitdevelopercontent.com/simple-redirect.html" in the redirect_uri, now code and state sent to this redirect_uri. After that /token endoint is initiated to exchange the code and get the access token, in this scenario Authorization Header is missing
Authorization Header
The Authorization header must be set to Basic followed by a space, then the Base64 encoded string of your application's client id and secret concatenated with a colon. For example, the Base64 encoded string, Y2xpZW50X2lkOmNsaWVudCBzZWNyZXQ=, is decoded as "client_id:client secret".
08-29-2019 14:59
08-29-2019 14:59
Hi @Sandy111,
Welcome to the Forums!
Are you running into an error using the authorization code grant flow during the authorization process? If so, can you provide me with the error message you are seeing?
Hope to hear from you soon!
09-09-2019 02:59
09-09-2019 02:59
Hi
As per the fit-bit document i expected that Client Id and Secret in Authorization Header. But the client Id and secret are going in form body params which is also right behavior, scopes are not attached to the request.
09-10-2019 06:58
09-10-2019 06:58
Hi Sandy,
We support the syntax defined by the RFC 6749 specification. The proper syntax for the Fitbit Web APIs is to have the Base64 encoded client ID and secret be passed with the Authorization Header. The specification does not recommend passing the client ID and secret as body parameters. Please review the specification
https://tools.ietf.org/html/rfc6749#section-2.3.1
You said the client ID and secret are going in the form body parameters. Is this something you are purposely doing or your application is doing? Can you show us an example of what you're observing?
Best,
Gordon
09-11-2019 05:04
09-11-2019 05:04
<Oauth
settingsKey="oAuth1"
title= "Login"
label={label}
status={status}
authorizeUrl="https://blahblah.com/Authorize"
requestTokenUrl="https://blahblah.com/OAuth/Token"
clientId="watchdev"
clientSecret="watchXXXX"
scope="All"
onAccessToken={async (data) => {
console.log('heloooooooooooooooooooooo');
console.log(JSON.stringify(data));
label = "You are logged in as " + props.settingsStorage.getItem('userName');
}}
/>
I am using the above code and redirect_uri is "https://app-settings.fitbitdevelopercontent.com/simple-redirect.html", this page is calling the token endpoint to our authentication server for the tokens. In this call Authorization Header is not received..
09-11-2019 06:38
09-11-2019 06:38
Hi @Sandy111
It's not exactly clear to me what you're trying to do. It reads like you're calling your own authorization server expecting an authorization header from Fitbit to be returned. It might be helpful if you could describe your architecture and how/where the Fitbit Web APIs are called.
The Authorization header is something your application needs to include when calling
POST https://api.fitbit.com/oauth2/token
The value of the Basic token included in the Authorization header is the Base64 encoded string of your application's client id and secret concatenated with a colon. You can get the client ID and secret from https://dev.fitbit.com/apps.