03-19-2020 09:03
03-19-2020 09:03
Hi,
I am developing an iOS app that connects to Fitbit and I chosen "Implicit Grant" flow for this (assuming it was the correct choice).
The Fitbit debug tool has generated the following link (removed id and app name): https://www.fitbit.com/oauth2/authorize?response_type=token&client_id=[APP-ID]&redirect_uri=[APP-NAME]%3A%2F%2Foauth-callback&scope=activity&expires_in=604800
What I am uncertain about is the client secret, do I need it when using the implicit grant flow?
Answered! Go to the Best Answer.
03-24-2020 17:52
03-24-2020 17:52
Hi @pepejeria,
The client secret is only used in the authorization code grant flow for making an access token request and refresh token request. Refreshing a token requires the use of the client secret, which cannot safely be stored in distributed application code. When the access token expires, users will need to re-authorize your app. The Authorization
header must be set to Basic
followed by a space, then the Base64 encoded string of your application's client id and secret concatenated with a colon. For example, the Base64 encoded string, Y2xpZW50X2lkOmNsaWVudCBzZWNyZXQ=, is decoded as "client_id:client secret".
Since the Implicit Grant Flow does not use refresh tokens to obtain a new access token, you do not need to use the client secret with this authorization flow.
I hope this helps. Let me know if you have any additional questions.
03-24-2020 17:52
03-24-2020 17:52
Hi @pepejeria,
The client secret is only used in the authorization code grant flow for making an access token request and refresh token request. Refreshing a token requires the use of the client secret, which cannot safely be stored in distributed application code. When the access token expires, users will need to re-authorize your app. The Authorization
header must be set to Basic
followed by a space, then the Base64 encoded string of your application's client id and secret concatenated with a colon. For example, the Base64 encoded string, Y2xpZW50X2lkOmNsaWVudCBzZWNyZXQ=, is decoded as "client_id:client secret".
Since the Implicit Grant Flow does not use refresh tokens to obtain a new access token, you do not need to use the client secret with this authorization flow.
I hope this helps. Let me know if you have any additional questions.