01-06-2022 23:30
01-06-2022 23:30
If a user goes through OAuth authentication using a browser where there is already a FitBit account logged in, then it will automatically log that user into the already logged in account without prompting them to confirm it is their account, and more problematically, without confirming the requested scope permissions.
This has previously been answered here: https://community.fitbit.com/t5/Web-API-Development/Is-there-a-way-to-force-user-to-login-again-for-... where it was suggested that one can use the "prompt" query parameter in the authentication request. However, there is no documentation for this as it does not appear anywhere in OAuth 2.0 Authorization page, despite the above answer saying it does. I have tried using "prompt=login" and that did nothing, but that was simply a guess at the correct value to use.
Is this functionality still available? And if so, is there any documentation for it? If not, please could you give me suggestions on how I might be able to achieve this?
If it is not possible to do so then one could potentially exploit this, as changing scopes does not re-prompt the use to confirm them. So one could request very basic scopes, which the user agrees to (or not), and then re-send the request with all scopes and the browser will automatically confirm these scopes without the user actually agreeing to them.
Thanks in advance!
Answered! Go to the Best Answer.
01-12-2022 12:22
01-12-2022 12:22
Hi @Mick17
Yes, this functionality is still available. We have it documented on the authorize endpoint page at https://dev.fitbit.com/build/reference/web-api/authorization/authorize/.
Gordon
01-12-2022 12:22
01-12-2022 12:22
Hi @Mick17
Yes, this functionality is still available. We have it documented on the authorize endpoint page at https://dev.fitbit.com/build/reference/web-api/authorization/authorize/.
Gordon
01-13-2022 00:14
01-13-2022 00:14
Great! I didn't see this documentation, I will give it a try, thanks!