I tried with OAuth signature. still getting error. I believe Client (Consumer) Secret key is Oauth_Signature parameter value?

Get URL - http://api.fitbit.com/1/user/2SWR5H/activities/date/2014-07-14.json

Request Header: Authorization: OAuth realm="Example", oauth_consumer_key="<consumer key>", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1405458665", oauth_nonce="7d8f3e47", oauth_signature="<secret key that i got from while register application>"

Response:

HTTP/1.1 401 Unauthorized

Server: Apache-Coyote/1.1

X-UA-Compatible: IE=edge,chrome=1

WWW-Authenticate: OAuth realm="http%3A%2F%2Fapi003-g4.prod.dal05.fitbit.com"

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Pragma: no-cache

Content-Type: application/json;charset=UTF-8

Content-Language: en

Content-Length: 144

Vary: Accept-Encoding

Date: Tue, 15 Jul 2014 21:14:53 GMT

X-Frame-Options: SAMEORIGIN

Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate

Connection: Keep-Alive

Set-Cookie: JSESSIONID=F64703C707F40293E326A317677DC1E5.fitbit1; Path=/

{"errors":[{"errorType":"oauth","fieldName":"oauth_signature","message":"Invalid signature: <secret key>"}],"success":false}

any idea why i am getting this??

Nope client(consumer) key and oauth_signature are two completely different things.

Please read https://wiki.fitbit.com/display/API/OAuth+Authentication+in+the+Fitbit+API for more details.

in short you should be sending out both: client(consumer) key and signature as parameters.

Signature is a string value that is generated based on request parameters: http://tools.ietf.org/html/rfc5849#section-3.4

let me explain what i am trying to do here,

I want to generate Chart in my application based on Activity data of fitbit user. So i thought of using FitBit Resource Access API (REST endpoints) here. I want to override the FitBit user OAuth authentication page since my application doesn't know any of FitBit users credentials except <UserId>. I gone through the documenation https://wiki.fitbit.com/display/API/API-Get-Activities and it looks like i can get activity data by passing <UserId> in URL like "/1/user/228TQ4/activities/date/2010-02-25.json". So I tried calling this URL with appropriate consumer key, but it didn't work. Is there any other way to acheive this requirement?

The only way you can get the data is using fitbit API with requires you to go througha valid oauth 1.0a flow.

The oauth 1.0a flow requires fitbit user in what info you're interested in to grant access to your application so you can get access token and access token secret.

Please copy and paste here the request you're trying to make including all the headers.

I am using fitbit.net api library. Here is the code, here is url for fitbit.net library https://github.com/aarondcoleman/Fitbit.NET/

publicActionResult GetActivity()

{

string ConsumerKey = ConfigurationManager.AppSettings["FitbitConsumerKey"]; //Consumer Key that i got while registring applicaitonstring ConsumerSecret = ConfigurationManager.AppSettings["FitbitConsumerSecret"];//Secret Key that i got while registring applicaiton

Fitbit.Api.

Authenticator authenticator = new Fitbit.Api.Authenticator(ConsumerKey,

ConsumerSecret,

"http://api.fitbit.com/oauth/request_token",

"http://api.fitbit.com/oauth/access_token",

"http://api.fitbit.com/oauth/authorize");

RequestToken token = authenticator.GetRequestToken();

FitbitClient fbClient = newFitbitClient(ConsumerKey, ConsumerSecret, token.Token, token.Secret);

Activity act = fbClient.GetDayActivity(newDateTime(2013, 7, 14));

//print act here

}

Where are you getting  token.Token, token.Secret from?

Please confirm that you did access_token request and got back valid access token and access token secret.

Also pleace paste the request you're making including all the headers.

Also paste here the response you're getting back.

Here is the entire source code i downloaded from FitBit.Net API library. I tried to tweak few things on this code to override few steps in oAuth authentication flow that I explained below,

source code url - https://github.com/aarondcoleman/Fitbit.NET

to answer to your question first, here is the method that gets me token.Token and token.Secret. you can also see this method if you downloaded code from above url.

public RequestToken GetRequestToken(string callback)
        {
            client.Authenticator = OAuth1Authenticator.ForRequestToken(this.ConsumerKey, this.ConsumerSecret, callback);

            var request = new RestRequest("oauth/request_token", Method.POST);
            var response = client.Execute(request);

            var qs = HttpUtility.ParseQueryString(response.Content);

            RequestToken token = new RequestToken();

            token.Token = qs["oauth_token"];
            token.Secret = qs["oauth_token_secret"];

            if (response.StatusCode != System.Net.HttpStatusCode.OK)
                throw new Exception("Request Token Step Failed");

            return token;
        }

If you run the downloaded code as is (SampleWebMVC project), it's working fine. because it's complaince with oAuth flow. What i want to do is ridoff the "api.fitbit.com" user authentication step from oAuth authentication flow as my applicaiton don't maintain users credentials except user id. so, here is tweaked code,

public ActionResult Authorize()
        {
            
            string ConsumerKey = ConfigurationManager.AppSettings["FitbitConsumerKey"]; //Consumer Key that i got while registring applicaiton
            string ConsumerSecret = ConfigurationManager.AppSettings["FitbitConsumerSecret"];//Secret Key that i got while registring applicaiton

            
            Fitbit.Api.Authenticator authenticator = new Fitbit.Api.Authenticator(ConsumerKey,
                                                                                    ConsumerSecret,
                                                                                    "http://api.fitbit.com/oauth/request_token",
                                                                                    "http://api.fitbit.com/oauth/access_token",
                                                                                    "http://api.fitbit.com/oauth/authorize");
            RequestToken token = authenticator.GetRequestToken();
            AuthCredential creden = authenticator.ProcessApprovedAuthCallback(token);
            
            FitbitClient fbClient = new FitbitClient(ConsumerKey, ConsumerSecret, creden.AuthToken, creden.AuthTokenSecret);
            Activity act = fbClient.GetDayActivity(new DateTime(2013, 7, 14));
            
            
            //print act here
        }

when i execute this code, line "authenticator.ProcessApprovedAuthCallback(token);" returns unAuthorized error. I guess its just because i don't have value in  Token.Verifier yet since i am not redirecting application to api.fitbi.com for user authentication. Token.Verifier is returned by api.fitbit.com server while executing callback function. That's what you could see in the original downloaded code.

So, Again my question here is how would i override the "api.fitbit.com" authentication page?? i want to access users fitbit data with registered application consumer key and secret key along with fitbit users user id.

If it's not possible to access fitbit user's data without user's entire credentials (user id and password), Is there a REST method call to do this authentication instead redirecting my application to api.fitibit.com page?

Hope this makes clear about the requirement. Please let me know If need to know anything else.

Thanks

There is no way to override it since we have to respect Fitbit user's authority and oauh 1.0a flow.

You won't be ever able to get user's data without having fitbit user authorizing access for your app to read his data on fitbit.com authorization page.

Fine. Is there a REST method to authorize fitbit user?

There is no rest method where user can authorize your app to use his data. The only place where user can do it is  https://api.fitbit.com//oauth/authorize?oauth_token=<temp_access_token>

where <temp_access_token> is a valid temp_access_token that you'll get at request_token step.

Thank you Ibahdanau!