help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Implicit grant flow and client secret

ANSWERED

‎03-19-2020 09:03

‎03-19-2020 09:03

Hi,

 

I am developing an iOS app that connects to Fitbit and I chosen "Implicit Grant" flow for this (assuming it was the correct choice).

 

The Fitbit debug tool has generated the following link (removed id and app name): https://www.fitbit.com/oauth2/authorize?response_type=token&client_id=[APP-ID]&redirect_uri=[APP-NAME]%3A%2F%2Foauth-callback&scope=activity&expires_in=604800

 

What I am uncertain about is the client secret, do I need it when using the implicit grant flow?

Best Answer
Labels:
0 Votes
1 BEST ANSWER

Accepted Solutions

‎03-24-2020 17:52

‎03-24-2020 17:52

Hi @pepejeria,

 

The client secret is only used in the authorization code grant flow for making an access token request and refresh token request. Refreshing a token requires the use of the client secret, which cannot safely be stored in distributed application code. When the access token expires, users will need to re-authorize your app. The Authorization header must be set to Basic followed by a space, then the Base64 encoded string of your application's client id and secret concatenated with a colon. For example, the Base64 encoded string, Y2xpZW50X2lkOmNsaWVudCBzZWNyZXQ=, is decoded as "client_id:client secret".

 

Since the Implicit Grant Flow does not use refresh tokens to obtain a new access token, you do not need to use the client secret with this authorization flow.

 

I hope this helps. Let me know if you have any additional questions.

View best answer in original post

Best Answer
0 Votes
1 REPLY 1

‎03-24-2020 17:52

‎03-24-2020 17:52

Hi @pepejeria,

 

The client secret is only used in the authorization code grant flow for making an access token request and refresh token request. Refreshing a token requires the use of the client secret, which cannot safely be stored in distributed application code. When the access token expires, users will need to re-authorize your app. The Authorization header must be set to Basic followed by a space, then the Base64 encoded string of your application's client id and secret concatenated with a colon. For example, the Base64 encoded string, Y2xpZW50X2lkOmNsaWVudCBzZWNyZXQ=, is decoded as "client_id:client secret".

 

Since the Implicit Grant Flow does not use refresh tokens to obtain a new access token, you do not need to use the client secret with this authorization flow.

 

I hope this helps. Let me know if you have any additional questions.

Best Answer
0 Votes