07-21-2016 14:06 - edited 07-21-2016 14:09
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post

07-21-2016 14:06 - edited 07-21-2016 14:09
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post
There seems to be some sort of url encoding problem with the state parameter during the authorize callback, but only when using the 'token' workflow. If your state parameter contains either '/' or '+', or possibly others, the state parameter that is returned on the round trip is incorrect. It looks like maybe its double encoded or something? I'm not great with URL encoding so I'm not sure.
Example:
State (not encoded):
IOrw83rhtLgwbaMtrCDWTdtB/qRHAOZ4
Authorize Url
oauth2/authorize?redirect_uri=http:%2F%2Flocalhost:33533%2Ffitbit&client_id=******&scope=heartrate%20activity%20sleep%20profile&state=IOrw83rhtLgwbaMtrCDWTdtB%2FqRHAOZ4&response_type=token
Callback
http://localhost:33533/fitbit#access_token=********************&user_id=*****&scope=sleep+activity+heartrate+profile&state=IOrw83rhtLgwbaMtrCDWTdtB%252FqRHAOZ4&token_type=Bearer&expires_in=81775
Note that there is like an extra '52' in the received state parameter. Using the same state with a 'token' workflow works as expected
Example:
Authorize Url
/oauth2/authorize?redirect_uri=http:%2F%2Flocalhost:33533%2Ffitbit&client_id=******&scope=heartrate%20activity%20sleep%20profile&state=IOrw83rhtLgwbaMtrCDWTdtB%2FqRHAOZ4&response_type=code
Callback
http://localhost:33533/fitbit?code=************&state=IOrw83rhtLgwbaMtrCDWTdtB%2FqRHAOZ4#_=_
