Cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

I want to revoke or expire client access tokens but it's not working

ANSWERED

I found a lot of posts about tokens being revoked unexpectedly, but I have the opposite problem.

 

I'm trying to write my app to deal gracefully with the case where a token is revoked or expires -- specifically I want to use the refresh token at that moment and try again with the new access token. But no matter what I try I can't force that situation.

 

Clicking the "Revoke Client Access Tokens" button on https://dev.fitbit.com/apps/details/XXXX doesn't work -- after I do this, my app can still fetch /1/user/-/profile.json just fine. Likewise, setting expires_in=10 when getting the auth token in the first place doesn't seem to work; even after a few hours the app fetches using the old token just fine.

 

My setup: Ruby, oauth2 gem, AuthCode strategy (Authorization flow).

 

Update: I found a way to revoke access to the app as an individual user -- click "Revoke Access" on https://www.fitbit.com/user/profile/apps -- but it's still weird that the "Revoke Client Access Tokens" button on https://dev.fitbit.com/apps/details/XXX doesn't do anything.

 

Also, the docs at https://dev.fitbit.com/docs/oauth2/#authorization-page for expires_in are ambiguous -- are those sample values, or (as I now suspect) are they the *only possible* values? I.e. that one day is the minimum value for expires_in? If the latter, please update the docs to make that clear.

 

Best Answer
0 Votes
1 BEST ANSWER

Accepted Solutions

A "client access token" is different from a "user access token".

 

Client access tokens are access tokens that do not have a user associated with them. There are a few endpoints that clients (i.e. your app) can make requests to on its own behalf, instead of on behalf of a Fitbit user. The vast majority of endpoints on the Fitbit Web API require a user access token. Unless you've been told by Fitbit to use a client access token, you're probably not using them in your app.

 

In order to revoke a user access token, one of the following has to happen:

  1. The user themself goes to https://www.fitbit.com/user/profile/apps and revokes access.
  2. Your app revokes its own access to the user using the Revoke Access Token endpoint.

View best answer in original post

Best Answer
2 REPLIES 2

I had the same issue with revoking all client access tokens as well... I clicked the link, entered the date, clicked submit and bam.... nothing... checked out a Fitbit user that had authorised our app access and it still had the access token there.  Can someone from Fitbit please confirm what is meant to happen when Manage My Applications > edit Application > Revoke Client Access Tokens is clicked and confirm that it is working as expected?

Best Answer
0 Votes

A "client access token" is different from a "user access token".

 

Client access tokens are access tokens that do not have a user associated with them. There are a few endpoints that clients (i.e. your app) can make requests to on its own behalf, instead of on behalf of a Fitbit user. The vast majority of endpoints on the Fitbit Web API require a user access token. Unless you've been told by Fitbit to use a client access token, you're probably not using them in your app.

 

In order to revoke a user access token, one of the following has to happen:

  1. The user themself goes to https://www.fitbit.com/user/profile/apps and revokes access.
  2. Your app revokes its own access to the user using the Revoke Access Token endpoint.
Best Answer