Cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Force a user to confirm scopes and login during OAuth 2.0 authentication

ANSWERED

If a user goes through OAuth authentication using a browser where there is already a FitBit account logged in, then it will automatically log that user into the already logged in account without prompting them to confirm it is their account, and more problematically, without confirming the requested scope permissions.

This has previously been answered here: https://community.fitbit.com/t5/Web-API-Development/Is-there-a-way-to-force-user-to-login-again-for-... where it was suggested that one can use the "prompt" query parameter in the authentication request. However, there is no documentation for this as it does not appear anywhere in OAuth 2.0 Authorization page, despite the above answer saying it does. I have tried using "prompt=login" and that did nothing, but that was simply a guess at the correct value to use.

Is this functionality still available? And if so, is there any documentation for it? If not, please could you give me suggestions on how I might be able to achieve this?

If it is not possible to do so then one could potentially exploit this, as changing scopes does not re-prompt the use to confirm them. So one could request very basic scopes, which the user agrees to (or not), and then re-send the request with all scopes and the browser will automatically confirm these scopes without the user actually agreeing to them.

Thanks in advance!

Best Answer
0 Votes
1 BEST ANSWER

Accepted Solutions

Hi @Mick17 

 

Yes, this functionality is still available.   We have it documented on the authorize endpoint page at https://dev.fitbit.com/build/reference/web-api/authorization/authorize/

 

Gordon

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google

View best answer in original post

Best Answer
0 Votes
2 REPLIES 2

Hi @Mick17 

 

Yes, this functionality is still available.   We have it documented on the authorize endpoint page at https://dev.fitbit.com/build/reference/web-api/authorization/authorize/

 

Gordon

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
Best Answer
0 Votes

Great! I didn't see this documentation, I will give it a try, thanks!

Best Answer
0 Votes