If a user goes through OAuth authentication using a browser where there is already a FitBit account logged in, then it will automatically log that user into the already logged in account without prompting them to confirm it is their account, and more problematically, without confirming the requested scope permissions.

This has previously been answered here: https://community.fitbit.com/t5/Web-API-Development/Is-there-a-way-to-force-user-to-login-again-for-... where it was suggested that one can use the "prompt" query parameter in the authentication request. However, there is no documentation for this as it does not appear anywhere in OAuth 2.0 Authorization page, despite the above answer saying it does. I have tried using "prompt=login" and that did nothing, but that was simply a guess at the correct value to use.

Is this functionality still available? And if so, is there any documentation for it? If not, please could you give me suggestions on how I might be able to achieve this?

If it is not possible to do so then one could potentially exploit this, as changing scopes does not re-prompt the use to confirm them. So one could request very basic scopes, which the user agrees to (or not), and then re-send the request with all scopes and the browser will automatically confirm these scopes without the user actually agreeing to them.

Thanks in advance!