help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Fitbit Authorization page will not keep me logged in, every time the app start up

‎06-14-2023 05:41

‎06-14-2023 05:41

My app user has entered the account information and logged in with the Keep logged in check box on the Authorization page, but every time the app is launched and the Authorization page is displayed, the user is prompted to enter the account information.

This phenomenon is occurring only for some app users.

The app has used Implicit Grant Flow as as the authentication method.

In order to avoid this problem, could you tell me the conditions under which the account information input screen is displayed every time and how to avoid it?

Best regards,
Aki

Best Answer
Labels:
0 Votes
3 REPLIES 3

‎06-26-2023 00:49

‎06-26-2023 00:49

Hi @AkiTC,

Welcome to the forums! 

Because of how the Implicit Grant Flow is designed, this would be the expected user experience for consenting to share data with 3rd party applications. When an access_token expires under the Implicit Grant Flow, the user must go through the authorization flow to grant access again, resulting in a less than ideal user experience.

I recommend switching over to the Authorization Code Grant Flow, which allows your application to manage the access tokens on the backend. When the access token expires, your application will use whats called a "refresh token" to obtain a new access token and refresh token pair to extend access to the user's data. This prevents the Fitbit user from having to log in and consent each time as opposed to the Implicit Grant Flow. Also note that the Implicit Grant Flow is not a recommended authorization flow as its not as secure as the Authorization Code Grant Flow.

Alternatively, the way you set up your authorize url could be causing the user to log in and consent each time. If your authorize url contains "prompt=login consent", then you are forcing your Fitbit user to login and consent each time.

I hope this helps. Let me know if you have any questions.

Best Answer
0 Votes

‎08-30-2023 03:11

In response to JohnFitbit

‎08-30-2023 03:11

Hi @JohnFitbit 

Thank you for replying.

I would like to apply Authorization Code Grant Flow to my app if possible.

But the app is live and is still being used by users.

Is it necessary to suspend users' app usage in order to make app modifications and switch authentication methods?

Is it possible to switch authentication methods without stopping users from using the app?

Best regards,
Aki

Best Answer

‎09-13-2023 16:51

In response to JohnFitbit

‎09-13-2023 16:51

Thanks a lot for this explanation! I've recently faced the same issue and I'm looking for  solution. I'd srart with using the Authorization Code Grant Flow.

Best Answer