06-14-2018 05:06
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post

06-14-2018 05:06
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post
- Who Voted for this post?
Hi,
Fitbit's authorization page lets end-users uncheck scopes that were requested by clients, e.g. disable sharing body weight even though the client requested it.
I have yet to see that behaviour elsewhere. Other mobile health APIs give the end-user an all or nothing UI, where the end-user grants every scope or none (off the top of my head, Google Fit, Withings, and Moves do it that way). The main reason for the all or nothing approach is to avoid complexity; in Fitbit's current implementation, if the client actually required all those scopes, a partial grant makes (1) the client have to realise that happened, (2) treat the approval as a denial, (3) try to explain to the end-user what just happened, and (4) restart the process and hope it doesn't happen again.
Since OAuth 2.0 isn't expressive enough to capture required scopes (https://tools.ietf.org/html/rfc6749#section-3.3), could you either add a parameter in the authorization URL to say that all specified scopes are required, or alternatively go the iHealth route and add a parameter with a separate list of "required scopes"? The first is simpler, the latter more robust. Both are backwards compatible.
The status quo is great for optional scopes but complicates life unnecessarily for required scopes. I think there could be a happy medium.
Thanks,
Emerson
06-20-2018 03:08
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post

06-20-2018 03:08
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post
Any takers?

07-02-2018 15:51
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post



07-02-2018 15:51
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post
Hi @emersonfarrugia,
Fitbit has a long-standing commitment to privacy and data protection. We want our users to control their data and how applications access it. I can submit your enhancement request to the appropriate team for review. There is no guarantee we will be able to provide support for either option as we are required to abide by several data protection laws.
In the meantime, you can inform your customers that your application requires the use of certain scopes, and you highly suggest they enable all listed scopes for the best user experience.
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google

07-03-2018 01:29 - edited 07-03-2018 01:30
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post

07-03-2018 01:29 - edited 07-03-2018 01:30
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post
Hi @Gordon-C,
re: data protection laws, the suggestions still give customers the right of refusal, just not at such a granular level as to cause headaches for app developers and the customers themselves. Fitbit's competitors are also required to abide by data protection laws, and offer this functionality without any issue.
re: informing customers, we do, but any additional badgering hurts UX.

