help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Callback URL when in development

ANSWERED

‎01-19-2015 21:15

‎01-19-2015 21:15

I am currently developing a JAVA web application that uses Scribe OAuth.  I am successfully triggering the User Authorization step for the user in the web browser.  However, the callback URL I specified is not in production, so it does not return the verifier to the application.  Is there a temporary solution to get the verifier when developing an application locally, since all my code for the future callback method is on a local server?

Best Answer
Labels:
31 REPLIES 31

‎03-17-2015 05:10

In response to goswamisantanu

‎03-17-2015 05:10

Hi,

I am creating the base string and the signed with string (concatenating the consumersecret and token secret). From them i need to generate the oauth_signature for various fitbit users. 

Can you suggest a implementation in java/groovy or any other language that will help me do one programmatically.

Thank you,

goswamisantanu

Best Answer
0 Votes

‎11-18-2015 05:25 - edited ‎11-18-2015 05:29

In response to ibahdanau

‎11-18-2015 05:25 - edited ‎11-18-2015 05:29

But it cannot gives any verifier in callback url

please help me

Best Answer
0 Votes

‎11-18-2015 10:39

In response to ibahdanau

‎11-18-2015 10:39

Hi, I need to do the Oauth2 process through WEB browser process. can FitBit support returning authorization code to the browser like what Google did:https://developers.google.com/identity/protocols/OAuth2InstalledApp#choosingredirecturi?

 

Best Answer
0 Votes

‎11-18-2015 13:56

In response to RobertZh

‎11-18-2015 13:56

Yes it does if you use the implicit grant flow. However, you can also use the authorization grant flow if you open the link in a new window, and redirect the parent window on success.

 

I know it isn't mentioned anywhere in the API docs how the callback URI is called for implicit vs authorization grant. The return data is the same, except the difference is that authorization will redirect to the callback uri with a query string, whereas the implicit grant flow will redirect to the callback uri with a segment string.

 

authorization: http://www.website.com/callback?code=blah&expires=1234567...

implicit: http://www.website.com/callback#code=blah&expires=1234567

 

The difference between the two is that one is intended to be used for server to server and the other is intended to be used for client to server, like a normal web browser.

Best Answer
0 Votes

‎11-18-2015 15:21

In response to jmitchell38488

‎11-18-2015 15:21

Thank you for your quick reply. But we do still need a redirect uri. what I need to do: in my webbrowser control, 1) open the user log in page with a URI having scope, client_id etc. after succesful login, the scope grant page comes up, 2) then click 'allow' button, I hope the next webpage contains the authorization code. I can then extact the code from the page. Like what I did to get pin code on Oauth1.

 

How can I implment this without redirect URI?

thanks

Best Answer
0 Votes

‎11-18-2015 16:20

In response to RobertZh

‎11-18-2015 16:20

You can't. You need a callback URI so that FitBit knows where to send the user after they've authenticated. This is an explicit feature of oauth 2 and both calls have to be over SSL.

 

The callback URI should just be a generic page that keeps track of the stage of authorization. If no authorization, then get the auth token, set to step 1. If step 1, get the access token, set to step 2. If step 2, save refresh and access tokens and expires time somewhere so that you only have to refresh the auth token, rather than request authorization all over again when you use it later.

 

If you're wondering about how to work on the FitBit API in dev mode with a dev callback uri, compared to prod with a prod callback uri, create a new application and set the callback uri in the new application to your dev callback uri. Then use configuration flags and different settings for different environments

 

eg.

 

if (env == 'dev')
settings = array('client_id' => 'xyz', 'client_secret' => 'aabbcc123' ...);

 

I've done this for a project I'm working on since oauth2 doesn't provide debug mode and has strict ssl, whereas oauth1 you can get away with it by disabling ssl checks and using debug mode.

Best Answer
0 Votes

‎11-19-2015 13:37

In response to jmitchell38488

‎11-19-2015 13:37

my application has a requirement: no user direct involvement. login, button click from fitbit page are automatic via web browser.

 

Additional questions:

After I finished with one user, go to next user, what's the interface to close for the current user? something like this: oauth2/revoke?; how to log out the current user like in Oauth1 inteface: oauth/logout_and_authorize

Best Answer
0 Votes

‎11-19-2015 14:38

In response to RobertZh

‎11-19-2015 14:38

@RobertZh wrote:

my application has a requirement: no user direct involvement. login, button click from fitbit page are automatic via web browser.

 

Additional questions:

After I finished with one user, go to next user, what's the interface to close for the current user? something like this: oauth2/revoke?; how to log out the current user like in Oauth1 inteface: oauth/logout_and_authorize

The Fitbit Web API *always* requires a person to give your app consent. Your app cannot sign a person out of fitbit.com.

Best Answer

‎11-19-2015 14:41

In response to RobertZh

‎11-19-2015 14:41

@RobertZh wrote:

Thank you for your quick reply. But we do still need a redirect uri. what I need to do: in my webbrowser control, 1) open the user log in page with a URI having scope, client_id etc. after succesful login, the scope grant page comes up, 2) then click 'allow' button, I hope the next webpage contains the authorization code. I can then extact the code from the page. Like what I did to get pin code on Oauth1.

 

How can I implment this without redirect URI?

thanks

Instead of pulling the code out of the page, there is a better way. Register a custom URL handler with your platform.

Best Answer
0 Votes

‎11-19-2015 15:21

In response to RobertZh

‎11-19-2015 15:21

@RobertZh wrote:

After I finished with one user, go to next user, what's the interface to close for the current user? something like this: oauth2/revoke?; how to log out the current user like in Oauth1 inteface: oauth/logout_and_authorize

OAuth 2 token will expire after a set amount of time. If you store the credentials locally, say in a database, if you remove them and you don't store them anywhere else (memcache etc.), then you won't have the authorized details anymore and will need to obtain consent again through authorization.

@RobertZh wrote:

my application has a requirement: no user direct involvement. login, button click from fitbit page are automatic via web browser.

The user always has to be logged in to grant consent. If they aren't logged in, there isn't anyway for them to give consent. However, OAuth2 gives you the option of using the prompt parameter when authorizing.

 

https://dev.fitbit.com/docs/oauth2/#authorization-page

 

If you set prompt=none, as long as they're logged in to FitBit dashboard, the prompt screen will be skipped, otherwise they will be forced to login. The difference in the 3 are:

 - Login will force the user to login and then accept scope

 - Consent assumes the user is already logged in and then accept scope

 - None assumes the user is already logged in and automatically accepts scope

Best Answer

‎03-07-2018 14:52

In response to ibahdanau

‎03-07-2018 14:52

Hello @ibahdanau,

 

I have the same problem as described above.. 

Your advice is to "set up you application as a web app". 

What exactly do you mean by this? What steps do I need to take? 

Best Answer
0 Votes

‎12-08-2023 05:00

In response to ibahdanau

‎12-08-2023 05:00

hi 
I am having this error while connecting it to my web using miniorange OAuth ,can you please guide me how can I solve this issue 

Response :
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title></title> <style type="text/css"> body { margin: 0; overflow: hidden; } #mainFrame { position: absolute; left: 0px; top: 0px; width: 100%; height: 100%; } </style> </head> <body> <!--rid=74e5c46c37728ba4efb36cde7744b854:172.22.0.159:5145--> <form target="_top" id="mainForm"> <iframe id="mainFrame" src="https://www.fitbit.com/uk/404" frameborder="0"></iframe> </form> </body> </html>

Invalid response received.

Best Answer
0 Votes