Thanks!  I temporarily set it up as a desktop app now and will implement the web version later.  I'm successfully getting my user profile back now - so it looks like it is working!

Hi,

I have setup the fitbitApiAuthExampleServlet app locally in eclipse and running it on tomcat. 

I have registered this in fitbit, got customer key and customer secret on dev.fitbit.com. I am using these details on https://dev.fitbit.com/apps/oauthtutorialpage to get Temporary Access Token and Temporary Access Token Secret. Further i am getting the verifier and using it to get the Permanent Access Token and Access Token Secret( ie steps E-F). However I am confused which token and key should be added to the FitbitApiAuthExampleServlet.java to make it work.

No data is appearing in the browser when i run the app on tomcat.

I must be missing something, any suggestion is welcome.

goswamisantanu

The temp token is only required to exchange it for permanent token(steps e-f). Once you exchange your tepm token for permanent token, you'll not need temp token anymore. In fact the temp token will automatically expire once you exchange it for permanent token.

Now, there are at least 4 things you need to store in your DB to make requests to get Futbut user's data are:

1) client key (identifies your app)

2) client key secret(you will be using it to sign requests from your app, store it and don't share it with anyone)

3) permanent access token (identifies Fitbit user you have access to) 

4) permanent access token secret (you will be using it to sign api requests)

Hi,

Let me detail what i did.

1. In the java class, i read the clientConsumerKey and clientSecret from a .properties file.

2. On https://dev.fitbit.com/apps/oauthtutorialpage, i use the above 2 keys to generate the temp access token (after keying in the above keys, a random string and refreshing the timestamp and clicked on 'Send to hurl.it in steps 1 to 4). Then I use the temp tokens to create an url (step 6) and paste it in the browser. The url changes and includes a oauth_verifier. Then I use this verifier, another string and new timestamp in step 8 and generate a set of key by clicking the 'Send to Hurl.it' in step 10. This gets me the 2 permanent keys that I replace in the java code as OAUTH_TOKEN and OAUTH_VERIFIER. 

3. Then i restart the server and hit the url http://<hostname>:8080/FBApp/<servlet-name>

4. I get this error 

SEVERE: Servlet.service() for servlet [FitbitApiAuthExampleServlet] in context with path [/FBApp] threw exception [Exception during performing authorization] with root cause
com.fitbit.api.FitbitAPIException: 401: Authentication credentials were missing or incorrect.
{"errors":[{"errorType":"oauth","fieldName":"oauth_access_token","message":"Invalid signature or token 'X6qxoK4dgY3T43O0dPCdgFUhXT4=' or token '098695064b302d25d327fa496c6307cf'"}],"success":false}

I am using the 4 keys suggested but the outcome is not as expected. Not sure if my callback url is correct and i have selected the app as webapp in application settings.

Can you share a introductory app/tutorial that explains the maximum details.

Thanks in advance,

goswamisantanu

1) good

2) good for testing but not good in production code. You'll need to develop same behavior in your app so it redirects user to appropriate fitbit url and then you'll need to have a servlet that will listen to Fitbit callback request once user clicks allow button.

3) Not sure why you do so. I'm sure thought that server restart is not needed

4) Ther error message means exactly what it says:) The signature your application generating or the token you're using are wrong. On https://dev.fitbit.com/apps/oauthtutorialpage page enter your client key and client secret, then enter you access key and access secret and at the botton it will generate ro your proper signature and proper CURL request that you can use to make sure that request was formed correctly.

Once you'll be able to make requests from that page just compare signature that your code generating and the signature that is generated on the page, they should be the same.

Thank you for your response. Much better this time.

I got the profile.json from https://dev.fitbit.com/apps/oauthtutorialpage. now need to create the servlet which is more required for the production system. 

one query, what is the callback url in the application settings. 

goswamisantanu

The callback url is the url of your servlet that Fitbit will reqirect user to, when user clicks "allow" button.

The URL will be appended with verifier so you can exchange temp access tokens for permanent access tokens.

It works now.

Java client is running and able to fetch data.

Thanks a lot

goswamisantanu

Hi,

I am able to get details from fitbit repository using java code. I assume the data is fetched in json format and then parsed into java objects when using the fitbit API.

My requirement is to fetch the json dataset, with which intend to various processing. 

Can you point me some good tutorial/code/documentation.

Thank you,

goswamisantanu

Fitbit API does not returns data in pure java objects. Its either returns if back in JSON format or in XML(please not that xml will be deprecated soon).

So you should be able to make regular api request and just read response. The response should be in json format. 

If java library you're using does not supports returning pure json format then you should consider searching for alternative libraries or you may write your own code taht can pull data from Fitbit API.

Hi,

I modified my code to get json data.

Now I have to share it with 5 end-users. The client key and client key secret do not change unless I re-register the app.

When each user authorise my app via the url, will OAuth generate different sets of permanent accesskey & accesssecret for each of them. If so, do you suggest to save the data in a database or some data-structure within the app. 

Also, when user2 authorises after user1, will the authorisation of user1 be lost, and the permanent keys be lost. 

How do I handle this situation ?

thanks in advance,

goswamisantanu

Hi,

I store the entityid, permanent access token and permanent access token secret in db.

I try to create this url 

"https://api.fitbit.com/1/user/"+encodedid+"/profile.json&oauth_consumer_key="+consumer_key
+"&oauth_nonce="+oauth_nonce+"&oauth_signature_method=HMAC-SHA1&oauth_timestamp="+oauth_timestamp
+"&oauth_token="+oauth_token+"&oauth_version=1.0";

where consumer_key (i got it when in registered the app), oauth_nonce and oauth_timestamp are generated on the fly and oauth_token is the permanent access token. i get this error when i run this url 

error being:

{"errors":[{"errorType":"oauth","fieldName":"n/a","message":"No Authorization header provided in the request. Each call to Fitbit API should be OAuth signed"}],"success":false}

1. Am i putting any wrong parameter anywhere.

2. Am i right in assuming the verifier need not be saved for future use. 

3. What is meant by OAuth signed. I am trying to create the string that shows up in the https://dev.fitbit.com/apps/oauthtutorialpage in the last box.

Please suggest.

You should pass parameters in Authorization header, not just as reqular GET parameters. This is why you're getting response the "No Authorization header..." response.

As I've mentioned above in this thread please check this page: https://dev.fitbit.com/apps/oauthtutorialpage

it has complete information with examples how the request shuold be formed.

See here for more details:

http://oauth.net/core/1.0a/#consumer_req_param

Fitbit is using approach described in 5.4(http://oauth.net/core/1.0a/#auth_header)

Hi 

Please provide me an example Authorisation header will  look like. Do not share any tokens/secrets, instead use placeholders.

Probably I am mistaking between the 'base string' and 'api request curl'. Do i need to create either of them. also how do i get auth-signature parameter into code.

thank you

goswamisantanu

Hi,

Based on your wiki, I am creating the Authorization headers as shown. But i am unable to get the oauth_signature value. It is not part of the request headers, i do not get it as req.getHeaders().

How do I get one from within my code. I know it can be seen in the CURL script but how do i get it in the code.

Any pointer will be helpful

thank you,

goswamisantanu

Hi Ivan,

I am creating the auth header as suggested by Chen. I am unable to get the oauth_signature in my code. how do i create that. 

please suggest.

Thank you,

santanu