help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Locking my data through OAUTH 2?

‎07-05-2016 07:13

‎07-05-2016 07:13

I just received an email about OAUTH1 being discontinued in less than a month. (First I heard of it). So I thought, fine, I'll just spend some time updating my personal app.

 

However, after looking into the forums here, I discovered that a) You don't support SNI-certificates and b) You don't support StartSSL. This means that I'll a) Have to make changes to my server, and b) will have to fork out for a new certificate, solely to have continued access to my own data.

 

Personally I think this is a really crappy move.

Best Answer
Labels:
0 Votes
8 REPLIES 8

‎07-05-2016 07:15

‎07-05-2016 07:15

Also. At the very least, please provide a list of certificate authorities you do support.

Best Answer
0 Votes

‎07-05-2016 09:04

In response to deadcyclo

‎07-05-2016 09:04

So fortunately I misunderstood the https enforcement, so oauth 2 will work with any certificate. However, I still would have liked more than 25 days warning.

 

And a list of accepted certificate authorities to be able to use subscriptions would also be appreciated.

Best Answer
0 Votes

‎07-05-2016 09:09 - edited ‎07-05-2016 09:11

In response to deadcyclo

‎07-05-2016 09:09 - edited ‎07-05-2016 09:11

@deadcyclo OAuth 1.0a removal was originally announced in October 2015, you can see the most recent update here. I'll have to get back to you as far as certificate authorities.

Andrew | Community Moderator, Fitbit

What motivates you?
Best Answer
0 Votes

‎07-05-2016 11:12

In response to AndrewFitbit

‎07-05-2016 11:12

But why wasn't this announced on email? Not all of us spend all day reading the forum. I received an email from Fitbit API in August 2015 announcing some minor changes, and discontinuation of XML requests. Then nothing until 1st of July when I got the "Breaking Fitbit Web API Change: OAuth 1.0a removal August 1" email.

 

I don't mind the discontinuation at all. What I do mind is not being informed about it until the last moment (unless I happen to read some obscure forum post). Specially when you previously have announced much smaller changes via email.

 

Best Answer
0 Votes

‎07-05-2016 14:57

In response to deadcyclo

‎07-05-2016 14:57

@deadcyclo It was announced through email, and on the forum. The email went out on October 12th 2015 stating that support for OAuth 1.0a would be removed April 12th. An update was sent out March 29, 2016 because OAuth 1.0a removal was pushed back to August 1st.

 

Not sure why you didn't receive either of those emails, but the one you received July 1st has been the third email notification for OAuth 1.0a removal.

Andrew | Community Moderator, Fitbit

What motivates you?
Best Answer
0 Votes

‎07-06-2016 01:53

‎07-06-2016 01:53

@deadcyclo wrote:

However, after looking into the forums here, I discovered that a) You don't support SNI-certificates and b) You don't support StartSSL. This means that I'll a) Have to make changes to my server, and b) will have to fork out for a new certificate, solely to have continued access to my own data.

Both of these are completely unrelated to the transition to OAuth 2.0. The SNI issue and lack of StartSSL support only applies to the Subscriptions API and equally applies to OAuth 1.0a.

 

Fitbit supports every major TLS certificate provider. The StartSSL issue is due to StartSSL not following the proper procedure for being included with Java. If you need a free option, try Let's Encrypt.

 

Best Answer
0 Votes

‎07-06-2016 04:06 - edited ‎07-06-2016 04:27

In response to AndrewFitbit

‎07-06-2016 04:06 - edited ‎07-06-2016 04:27

@AndrewFitbit Interesting. Do you know if they were sent from the default api (at) fitbit.com address? Because I've even got a whitelist entry on that address. Oh well. I guess we'll have to blame gremlins on the wires or something. Thansk for all of your replies 🙂

Best Answer
0 Votes

‎07-06-2016 04:27

In response to JeremiahFitbit

‎07-06-2016 04:27

@JeremiahFitbit Realized that after posting. I completely misread some posts on the forum and the docs, and though you guys went above and beond and checked redirects, but not even ssl is enforced for redirects (which is nice - allows easy dev).

 

So you support Let's Encrypt. Thats awesome. Then I can just create a sub domain for incoming requests.

 

Thanks for your reply 🙂

Best Answer
0 Votes