Solved: How do i know which user called the oauth2 callbac...

Timmey92 · ‎01-21-2016

Hey guys,

i got a charge hr for christmas and am now developing a small analytics app.
Serverside is node js / express / mongo db while client side is mainly angular (single page app).
Authentication is completely stateless and works by including tokens in the request headers.

I am using this plugin to handle fitbit+oauth2 for me: https://github.com/peebles/fitbit-oauth2 and implemented the following workflow:

1. User creates an account at my app in the signup form

2. My api returns the logintoken and the fitbit auth url
3. My app redirects the user with window.location to the fitbit auth url

4. User grants access

5. Redirect to callback URL

But there is the problem: how do i know which user called the callback?

app.get('/fitbit_callback', function(req, res, next) {
  console.log(req);
  var code = req.query.code;
  fitbit.fetchToken( code, function( err, token ) {
    if ( err ) return next( err );
    
//Persist the token in the proper user... how???

  });
});

I appreciate your help 🙂

Best,
Tim

JeremiahFitbit · ‎01-21-2016

Most apps would use their own session management or a client cookie for that.

OAuth 2 also provides the 'state' parameter when sending people to the authorization page.

View best answer in original post

JeremiahFitbit · ‎01-21-2016

When using the Authorization Code Grant Flow, the Fitbit user_id is returned in the Access Token Request.

When using the Implicit Grant flow, the Fitbit user_id is returned as a parameter in the hash query of the redirect URI.

Timmey92 · ‎01-21-2016

I saw the user_id, but i cant map it to my own user. Can i add custom parameters to the callback url somehow (is this supported by the api? I think i read somewhere that it had to match the one i specified in the app config on the fitbit site)?

JeremiahFitbit · ‎01-21-2016

Most apps would use their own session management or a client cookie for that.

OAuth 2 also provides the 'state' parameter when sending people to the authorization page.

Timmey92 · ‎01-22-2016

State parameter did the trick, thank you.

martinstreicher · ‎04-14-2016

I am passing a state parameter to the Fitbit Oauth. But when the request comes back, the state has been changed from a word to a very long string of letters and numbers. I would expect it to be returned verbatim. What am I doing wrong?

martinstreicher · ‎04-14-2016

Started GET "/users/auth/fitbit?state=i_can_step" for ::1 at 2016-04-14 11:19:33 -0400

Started GET "/users/auth/fitbit/callback?state=3fe63379b910e743be86afe824159c962a6168065c26f4cd&code=270af5fd4eadf898b5fcdc226378188668363268" for ::1 at 2016-04-14 11:19:59 -0400

martinstreicher · ‎04-19-2016

Anyone?

Topaazy232 · ‎07-24-2020

Thank you for the information!

Join us on the Community Forums!

Community Guidelines

Learn the Basics

Join the Community!

Not finding your answer on the Community Forums?

Go to the Help Site

Contact Support

How do i know which user called the oauth2 callback?

Timmey92

JeremiahFitbit

JeremiahFitbit

Timmey92

JeremiahFitbit

Timmey92

martinstreicher

martinstreicher

martinstreicher

Topaazy232