help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Checking Scope

ANSWERED

‎01-18-2016 07:10

‎01-18-2016 07:10

Right now, working on porting an app to use OAuth 2. I managed to get a typical case working, but there's a small case bugging me.

When we redirect to fitbit for a user to authorize us to access their data, they're given a page similar to the one below:
undefined

So long as all the checkboxes are checked, which is the default, we're fine.
It's when they're not checked that we run into issues.

I was wondering if there's a way to see what scopes the user is allowing the application to access in one call, rather than waiting until a call fails due to a missing permission.

Thanks!

Best Answer
Labels:
0 Votes
1 BEST ANSWER

Accepted Solutions

‎01-18-2016 07:29

‎01-18-2016 07:29

And within 15 minutes, found it thanks to a somewhat related post here:
https://community.fitbit.com/t5/Web-API/OAuth-migration-and-heart-rate/m-p/866694#M2484

Turns out that when you grab an access token, the scope that the user gave you comes through as well (even though the scope I sent was "profile settings activity", the result is "profile settings"):

{"user_id"=>"######", "expires_in"=>3600, "scope"=>"profile settings", "refresh_token"=>"******************************", "token_type"=>"Bearer", "access_token"=>"******************************"}

View best answer in original post

Best Answer
0 Votes
5 REPLIES 5

‎01-18-2016 07:29

‎01-18-2016 07:29

And within 15 minutes, found it thanks to a somewhat related post here:
https://community.fitbit.com/t5/Web-API/OAuth-migration-and-heart-rate/m-p/866694#M2484

Turns out that when you grab an access token, the scope that the user gave you comes through as well (even though the scope I sent was "profile settings activity", the result is "profile settings"):

{"user_id"=>"######", "expires_in"=>3600, "scope"=>"profile settings", "refresh_token"=>"******************************", "token_type"=>"Bearer", "access_token"=>"******************************"}
Best Answer
0 Votes

‎01-18-2016 19:33

In response to Shalmezad

‎01-18-2016 19:33

Correct. We send the granted `scope` back to you in the redirect_uri when using the Implicit Grant flow and in the Access Token request response for the Authorization Code flow.

Best Answer
0 Votes

‎04-14-2016 19:24

In response to Shalmezad

‎04-14-2016 19:24

What did you call to get the token hash?

Best Answer
0 Votes

‎04-15-2016 09:39

In response to withinhealth

‎04-15-2016 09:39

My token comes back with "token", "refresh_token", "expires_at", and "expires", but nothing about scope using Authorization Code Grant flow . Nothing about scope. And if a user didn't check off one of the boxes, it doesn't automatically authorize, it goes back and asks them to approve all scopes instead of remembering it. 

Best Answer
0 Votes

‎10-10-2016 02:09

In response to withinhealth

‎10-10-2016 02:09

I'm having the same problem as withinhealth, nothing about scope values in accesstoken response

Best Answer
0 Votes