help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Disabling scope changes

‎06-14-2018 05:06

‎06-14-2018 05:06

Hi,

 

Fitbit's authorization page lets end-users uncheck scopes that were requested by clients, e.g. disable sharing body weight even though the client requested it. 

 

I have yet to see that behaviour elsewhere. Other mobile health APIs give the end-user an all or nothing UI, where the end-user grants every scope or none (off the top of my head, Google Fit, Withings, and Moves do it that way). The main reason for the all or nothing approach is to avoid complexity; in Fitbit's current implementation, if the client actually required all those scopes, a partial grant makes (1) the client have to realise that happened, (2) treat the approval as a denial, (3) try to explain to the end-user what just happened, and (4) restart the process and hope it doesn't happen again.

 

Since OAuth 2.0 isn't expressive enough to capture required scopes (https://tools.ietf.org/html/rfc6749#section-3.3), could you either add a parameter in the authorization URL to say that all specified scopes are required, or alternatively go the iHealth route and add a parameter with a separate list of "required scopes"? The first is simpler, the latter more robust. Both are backwards compatible.

 

The status quo is great for optional scopes but complicates life unnecessarily for required scopes. I think there could be a happy medium.

 

Thanks,

Emerson

 

 

Best Answer
Labels:
3 REPLIES 3

‎06-20-2018 03:08

‎06-20-2018 03:08

Any takers?

Best Answer
0 Votes

‎07-02-2018 15:51

‎07-02-2018 15:51

Hi @emersonfarrugia,

 

Fitbit has a long-standing commitment to privacy and data protection.  We want our users to control their data and how applications access it.  I can submit your enhancement request to the appropriate team for review.  There is no guarantee we will be able to provide support for either option as we are required to abide by several data protection laws. 

 

In the meantime, you can inform your customers that your application requires the use of certain scopes, and you highly suggest they enable all listed scopes for the best user experience.

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
Best Answer
0 Votes

‎07-03-2018 01:29 - edited ‎07-03-2018 01:30

In response to GordonFitbit

‎07-03-2018 01:29 - edited ‎07-03-2018 01:30

Hi @GordonFitbit,

 

re: data protection laws, the suggestions still give customers the right of refusal, just not at such a granular level as to cause headaches for app developers and the customers themselves. Fitbit's competitors are also required to abide by data protection laws, and offer this functionality without any issue. 

 

re: informing customers, we do, but any additional badgering hurts UX. 

 

Best Answer
0 Votes