help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to know which user email generated the authorization code?

ANSWERED

‎06-13-2022 13:36

‎06-13-2022 13:36

Hi! I am creating a family application that will be able to retrieve the data of all the members of my family. The first step was to create a website that receives the access code. How would my app know who owns that code? Is there any resource where I can send the Authorization Code and get the user information (email) as a response?

Best Answer
Labels:
0 Votes
1 BEST ANSWER

Accepted Solutions

‎06-16-2022 08:19

In response to JAJG

‎06-16-2022 08:19

Hi @JAJG 

 

We do not have the ability to expose the user's email address through the Web APIs.   Since you're building your application for your family, you could ask each of them to provide you with their Fitbit user id, which you could validate against during authorization.   Your family members can find their user id by following these instructions: https://dev.fitbit.com/build/reference/web-api/troubleshooting-guide/common-solutions/#Fitbit-user-h....   When you receive the initial access token, you will be provided with the user's access token.  See https://dev.fitbit.com/build/reference/web-api/authorization/oauth2-token.    

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google

View best answer in original post

Best Answer
0 Votes
4 REPLIES 4

‎06-13-2022 13:12

‎06-13-2022 13:12

I am creating a family application that will be able to retrieve the data of all the members of my family. The first step was to create a website that receives the access code. How would my app know who owns that code? Is there any resource where I can send the Authorization Code and get the user information (email) as a response?

Best Answer
0 Votes

‎06-14-2022 07:52

In response to JAJG

‎06-14-2022 07:52

Hi @JAJG 

 

There are 2 methods that I can think of that will allow you to know which users have consented to share data with your application.

1. During consent, your application can request the profile scope.   If this scope is enabled, then you can use the Get Profile endpoint to find out the name of the person associated with the Fitbit user id.  Information available through the Get Profile is only as good as what the user entered when setting up their account.   And it is also regulated by the user's own privacy settings.

 

2. You can have the user's create an account in your application.   Once signed in, they can initiate the authorization flow.   Once completed you can associate your application's account with the Fitbit account.

 

Gordon

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
Best Answer
0 Votes

‎06-14-2022 08:49

In response to Gordon-C

‎06-14-2022 08:49

Thank you @Gordon-C 

 

My app use:

Flow type: Authorization Code Flow

Authorization URLhttps://www.fitbit.com/oauth2/authorize?response_type=code&client_id=...

Redirect URI: my website (this is "my app").

 

My website saves the access code (thanks to the Redirect URI), but I don't know which user generates the access code.

 

I currently use the number one option you recommend. But the problem with this option is that if any user that does not belong to my family obtains the Authorization URL, it will generate an access code and it will be saved in my database, and I will not know who generated it until I apply the entire authentication flow (auth2.0) and obtain the profile.

 

That's why I asked if there is any mechanism to obtain the user's email that generates an access code. That way I could validate if the email belongs to my family group and:

  • I would not save the access code in my database.
  • I would not initiate an authentication flow from a person who is not a member of my family.

 

Best Answer
0 Votes

‎06-16-2022 08:19

In response to JAJG

‎06-16-2022 08:19

Hi @JAJG 

 

We do not have the ability to expose the user's email address through the Web APIs.   Since you're building your application for your family, you could ask each of them to provide you with their Fitbit user id, which you could validate against during authorization.   Your family members can find their user id by following these instructions: https://dev.fitbit.com/build/reference/web-api/troubleshooting-guide/common-solutions/#Fitbit-user-h....   When you receive the initial access token, you will be provided with the user's access token.  See https://dev.fitbit.com/build/reference/web-api/authorization/oauth2-token.    

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
Best Answer
0 Votes