help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Log out user from mobile device

ANSWERED

‎04-02-2020 04:47

‎04-02-2020 04:47

I have successfully implemented Fitbit login with the implicit grant flow and would also want to allow the user to logout from Fitbit. 

 

I see in the documentation that you can revoke tokens, but I guess that this is not the way to go due to this:

 

"Revoking the access token or refresh token will provide the same result. When the token is revoked, all tokens are revoked for that user. If an application has multiple sessions (web, mobile, etc.) for the same user, the revocation will remove all sessions (web, mobile, etc.) associated with that user.

"

 

This would mean that the user would be logged out from all devices right. What is your recommendation to logout an user from Fitbit using the Web API? 

Best Answer
Labels:
0 Votes
1 BEST ANSWER

Accepted Solutions

‎04-04-2020 09:42

In response to pepejeria

‎04-04-2020 09:42

Ok, all good:

 

  • Revoking the token did work with implicit grant flow
  • It only revoked access to the API for my app

View best answer in original post

Best Answer
0 Votes
5 REPLIES 5

‎04-02-2020 11:10

‎04-02-2020 11:10

Hi @pepejeria,

 

Can you clarify your use case? Are you trying to force a user to logout of the Fitbit app or the application you are developing?

 

The Web API doesn't support any endpoints that forces a user to logout of their own Fitbit account. Users have full control over their Fitbit account from logging in & logging out to deciding which 3rd party applications to share data to and when to revoke access to 3rd party applications.

 

Revoking a token does not force a user to log out of their Fitbit account. What revoking a token does is prevent your application from further pulling data from the user's Fitbit account.

 

I hope this helps clarify. Please let me know if you have any additional questions.

Best Answer
0 Votes

‎04-02-2020 11:46

In response to JohnFitbit

‎04-02-2020 11:46

I have step counter app for the iPhone and I am adding Fitbit integration to it. 

The user can connect to Fitbit by logging in and I would also allow the user to disconnect Fitbit from my app. Kind of like what the Strava app does.

 

"Revoking a token does not force a user to log out of their Fitbit account. What revoking a token does is prevent your application from further pulling data from the user's Fitbit account."

 

Ok, so I should then revoke the token to disconnect the Fitbit connection to my app right? I got another impression from what the documentation says (quoted text in my original post).

Best Answer
0 Votes

‎04-03-2020 02:05 - edited ‎04-04-2020 09:08

In response to pepejeria

‎04-03-2020 02:05 - edited ‎04-04-2020 09:08

To clarify what I what:

 

My iOS step counter app has added Fitbit integration and I would like to give the user the possibility to log out (prevent app from pulling data) as well. Kind of what the Strava app is doing currently for iOS, they allow the user to disconnect Strava from Fitbit.

 

Documentation:

 

The documentation states:

"Revoking the access token or refresh token will provide the same result. When the token is revoked, all tokens are revoked for that user. If an application has multiple sessions (web, mobile, etc.) for the same user, the revocation will remove all sessions (web, mobile, etc.) associated with that user."

 

Questions:

 

  1. Is it ok to offer this log out/disconnect functionality  in the iOS app? Maybe the user wants to disconnect Fitbit and only use Apple Health.
  2. If yes, would revoking the token be the correct thing to do? To me it sounds, from the documentation quote above, that the user will be logged out from all apps by doing this, which would be undesired. Is this assumption correct? 
  3. Does revoking a token work for implicit grant flow as well?

Thanks.

Best Answer
0 Votes

‎04-04-2020 09:42

In response to pepejeria

‎04-04-2020 09:42

Ok, all good:

 

  • Revoking the token did work with implicit grant flow
  • It only revoked access to the API for my app
Best Answer
0 Votes

‎04-06-2020 15:33

In response to pepejeria

‎04-06-2020 15:33

@pepejeria Apologies for the delayed response. Your above statements are correct.

 

  • Is it ok to offer this log out/disconnect functionality in the iOS app? Maybe the user wants to disconnect Fitbit and only use Apple Health.
    • Yes, you should allow your users to choose which platform to share their data to.
  • If yes, would revoking the token be the correct thing to do? To me it sounds, from the documentation quote above, that the user will be logged out from all apps by doing this, which would be undesired. Is this assumption correct? 
    • Revoking the token would be correct. This will only break the connection between the user's Fitbit account and your application.
  • Does revoking a token work for implicit grant flow as well?
    • Revoking a token works for both authentication flows.
Best Answer
0 Votes