help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Bug: Returned State Parameter in Token Flow Does Not Match Given State

‎07-21-2016 14:06 - edited ‎07-21-2016 14:09

‎07-21-2016 14:06 - edited ‎07-21-2016 14:09

There seems to be some sort of url encoding problem with the state parameter during the authorize callback, but only when using the 'token' workflow. If your state parameter contains either '/' or '+', or possibly others, the state parameter that is returned on the round trip is incorrect. It looks like maybe its double encoded or something? I'm not great with URL encoding so I'm not sure.

 

Example:

 

State (not encoded):

IOrw83rhtLgwbaMtrCDWTdtB/qRHAOZ4

 

Authorize Url

oauth2/authorize?redirect_uri=http:%2F%2Flocalhost:33533%2Ffitbit&client_id=******&scope=heartrate%20activity%20sleep%20profile&state=IOrw83rhtLgwbaMtrCDWTdtB%2FqRHAOZ4&response_type=token

 

Callback

http://localhost:33533/fitbit#access_token=********************&user_id=*****&scope=sleep+activity+heartrate+profile&state=IOrw83rhtLgwbaMtrCDWTdtB%252FqRHAOZ4&token_type=Bearer&expires_in=81775

 

Note that there is like an extra '52' in the received state parameter. Using the same state with a 'token' workflow works as expected

 

Example:

 

 

Authorize Url

/oauth2/authorize?redirect_uri=http:%2F%2Flocalhost:33533%2Ffitbit&client_id=******&scope=heartrate%20activity%20sleep%20profile&state=IOrw83rhtLgwbaMtrCDWTdtB%2FqRHAOZ4&response_type=code

 

Callback

http://localhost:33533/fitbit?code=************&state=IOrw83rhtLgwbaMtrCDWTdtB%2FqRHAOZ4#_=_

Best Answer
Labels:
0 Votes
0 REPLIES 0