help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Can we remove subscriptions on OAuth 2.0 for invalid refresh tokens

‎02-22-2016 18:33

‎02-22-2016 18:33

Hello Fitbit Team,

I am experiencing an intermitent problem where some of my members get an invalid refresh token that cannot be used to refresh the expired token anymore. I am using a distributed lock each time we get a new token and we allways roll back (fail the save and we delete subscriptions) if for whatever reason we cannot save valid ones. Still, we get some random "invalid" refresh tokens. While I am investigating why this is happening, I have a question for you: Is it possible to remove subscriptions for members that have these "invalid" refresh tokens and expired tokens? Making the DELETE https://api.fitbit.com/1/user/-/[collection-path]/apiSubscriptions/[subscription-id].json fails due to invalid/expired token. Is there a work-arround this, by any chance? Can I somehow be able to delete a subscription for a member that has invalid refresh token, and expired token - so basically no way of refreshing it? I noticed that asking members to re-authenticate would, sometimes, result in Conflict when creating the subscriptions so that is the main reason I'd like to get these subscritptions removed.

Best Answer
Labels:
10 REPLIES 10

‎02-23-2016 14:01

‎02-23-2016 14:01

Hello Fitbit team,

Any input regarding how to remove subcriptions without valid token/refresh tokens would be greatly apreaciated. 

Best Answer

‎04-27-2016 12:20

‎04-27-2016 12:20

Hello Fitbit team,

Maybe my question is not very clear. All I am looking for is a way to delete subscriptions ( DELETE https://api.fitbit.com/1/user/-/apiSubscriptions/320.json) but without having valid token. 

Seems like if members manually revoke tokens on Fitbit side - https://www.fitbit.com/user/profile/apps - doesn't also remove the collection of subscriptions we created during the authorization process. Revoking token access, invalidates the tokens so we cannot use then to delete the subscrions collection. Then these users try to pair the Fitbit account to our app again and Fitbit throws a "Conflict" error. Could you please point me to a resource I could use to address this scenario or a workaround for it, or confirm if there is nothing that can be done, at this time, for these scenarios?  

Best Answer

‎04-27-2016 14:42

In response to RoxanaF

‎04-27-2016 14:42

Currently, there is not a way to delete a subscription without a valid access token for that user. We are aware of this limitation and we do hope to provide a better solution, but I don't have an estimate on when it will be available.

 

If the user revokes access to your application, that will delete the subscription.

 

If a user reauthorizes your application, you should be able to delete the subscription with the new access token. You should only be getting a conflict error if you try to create a new subscription with the same subscription name.

Best Answer

‎04-28-2016 07:30

‎04-28-2016 07:30

Thank you @JeremiahFitbit for getting back to me. Please keep us posted if a way to remove subscriptions without member token is build and available. 

If I understand coreclty, if a member revokes access on Fitbit side, that will:

- invalidate the token/refresh token released to our app

- remove all subscriptions on your end that we created on behalf of that member (activities, sleep)

So if the same member (after revoking access) re-enables our app, we should be able to create the same subscriptions without getting a conflict error? Is that correct? If this is the case we could work with that resolution until we get an enpoint that would allow our app to remove subscriptions we cannot process due to invalid tokens.

Roxana

Best Answer
0 Votes

‎04-28-2016 12:11

In response to RoxanaF

‎04-28-2016 12:11

Correct. If a user revokes the app authorization, the subscriptions will also be deleted. So if you then create a new subscription with the previously used name there would no longer be a conflict.

Best Answer
0 Votes

‎05-11-2016 12:34

‎05-11-2016 12:34

We are also seeing subscription updates come in for users where the Refresh Token we have is invalid.  This could have happened when we get a surge of subscription updates for a single user, which we handle as the arrive resulting in the Refresh Token becomming used/invalid and the new token not being saved to our DB.  We have improved this handling on our side, but there are still some that are already invalid the we keep getting subscription updates for. We cannot stop these subscription updates without having the user re-validate or revoke our app's access.

Best Answer
0 Votes

‎07-23-2019 02:06

In response to JeremiahFitbit

‎07-23-2019 02:06

Are we getting solution to this problem any time soon?

Best Answer
0 Votes

‎07-24-2019 12:19

In response to SatyaRanjan

‎07-24-2019 12:19

Hi @SatyaRanjan,

 

It has taken some time, but we were able to push out a fix for this issue mentioned above.

 

If you are still coming across any subscription issues with invalid refresh tokens, please let me know and I'll be happy to look into this further.

 

Best Answer
0 Votes

‎11-09-2020 21:47

In response to JohnFitbit

‎11-09-2020 21:47

Hi John,

 

Can you give some context of the fix you mention above.

 

I've inherited an application where the refresh tokens weren't implemented correctly (at all). We now have a lot of users who we know have stopped using our app but we are continuing to get pings from Fitbit, we'd like to unsubscribe however the access token we have is expired and we cannot get a new one due to the missing refresh token.

 

Having a way to delete a subscription via a service endpoint would be extremely useful, or would there be another way of achieving this?

 

Many thanks,

Sam 

Best Answer

‎01-03-2024 20:29

In response to JohnFitbit

‎01-03-2024 20:29

Hi @JohnFitbit,

Is there any update on this?

Best regards,

Sam

Best Answer