help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Curl and Implicit Grand Flow access_token OAuth2

‎10-28-2016 08:34

‎10-28-2016 08:34

Hello everyone,

 

is it possible to get the access_token with Implicit Grant Flow with curl ???

 

curl -X POST -i -H 'Authorization: Basic XXXX'
-H 'Content-Type: application/x-www-form-urlencoded'
-d "response_type=token" -d "client_id=XXXX"
-d "grant_type=authorization_code"
-d "scope=activity%20heartrate%20location
%20nutrition%20profile%20settings%20sleep
%20social%20weight" -d "expires_in=604800"
 -d "redirect_uri=https%3A%2F%2Fexample.com%2Fcallback-url"
https://www.fitbit.com/oauth2/authorize

When i post the information with curl,naturally withaut the newlines i get know no access_token.

 

Response:

 

HTTP/1.1 302 Found
Date: Fri, 28 Oct 2016 15:24:19 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: __cfduid=d857702b848e69e215ec54085acfca5151477668258; expires=Sat, 28-Oct-17 15:24:18 GMT; path=/; domain=.fitbit.com; HttpOnly
X-UA-Compatible: IE=edge,chrome=1
Set-Cookie: fhttps=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Location: https://www.fitbit.com/login?redirect=%2Foauth2%2Fauthorize%3Fclient_id%3XXXXX%26expires_in%3D604800%26redirect_uri%3Dhttps%253A%252F%252Fexample.com%252Fcallback-url%26response_type%3Dtoken%26scope%3Dactivity%2Bheartrate%2Blocation%2Bnutrition%2Bprofile%2Bsettings%2Bsleep%2Bsocial%2Bweight%26state
Content-Language: de-DE
X-Frame-Options: SAMEORIGIN
Server: cloudflare-nginx
CF-RAY: 2f8f64d7de0d265a-FRA
Best Answer
Labels:
0 Votes
4 REPLIES 4

‎11-01-2016 12:15

‎11-01-2016 12:15

@pe_Mani_rl The access token will be a url fragment once the app has been authorized by the user.

 

The reason it's redirecting here: 

https://www.fitbit.com/login?redirect [...]

is because there's no user logged in when you're trying to auth.

Andrew | Community Moderator, Fitbit

What motivates you?
Best Answer
0 Votes

‎11-07-2016 02:07

In response to AndrewFitbit

‎11-07-2016 02:07

Thank you Andrew for the response,

 

i must be blind i can`t find in the RFC 6749 no username and password example for the Implicit grant flow

authentication :

 

    GET /authorize?response_type=token&client_id=s6BhdRkqt3&state=xyz
        &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1
    Host: server.example.com

 is the example for the implicit grant flow authentiaction. I want to write a explicit perl library for fibit.

At the moment i paste the code from the Authorization Code Grant Flow url fragment hardcoded in the constructor and save the access_token in a temp file only for trying my methods. I find is a better way to get the access_token without to saving in a temp file . Can you support me a little bit Iám to silly to unterstand why i cant get access_token directly with curl or is not possible with curl ? Or can I set an username and password with curl and which username and password is ment ?

Best Answer
0 Votes

‎11-08-2016 08:36

‎11-08-2016 08:36

@pe_Mani_rl I've never used cURL, but I'm assuming you'll have to do something like this. Once you have a user logged in, you should be able to get an access token, which will be a url fragment (for Implicit Grant Flow). 

Andrew | Community Moderator, Fitbit

What motivates you?
Best Answer
0 Votes

‎11-17-2016 02:39

In response to AndrewFitbit

‎11-17-2016 02:39

Now it works thanks, but is it a good idea to use email and password with post ??

Is this secure ?

 

The api docu writes :

 

 

Implicit Grant Flow

Fitbit follows the OAuth 2.0 Implicit Code Grant as specified in RFC 6749. Fitbit strongly recommends that you review the specification and use an OAuth client library for your programming language.

The Implicit Code Grant Flow has the following steps:

  "The Logon Page open" 1. Your application redirects the user to Fitbit's authorization page. See Authorization Page below.
   2. Upon user consent, Fitbit redirects the user back to your application's redirect URL with an access token as a URL fragment.
   3. Your application stores the access token client side. It will use the access token to make requests to the Fitbit API.

 

Best Answer
0 Votes