help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

OAuth 2.0 Mobile Flow With My Own Backend API

‎08-11-2015 18:51

‎08-11-2015 18:51

Hi-

 

This is probably a general OAuth Architecture question - but maybe you can provide feedback.

 

I have a website and mobile app that I'm integrating fitbit into.  

 

I have the Authorization Code Grant flow working for the website.

 

Now I want to do the mobile app, but once the mobile app is connected to fitbit, I want my mobile app to call my own server which would then call fitbit using a token.

 

What's a good architecture here? Should I have my mobile app launch a page on my website, which then goes through the same sequence as my website and then I store the token on my server and somehow redirect back into the mobile app once that sequence is complete?

 

The downfalls I see of this are launching a webpage from the mobile app might mean the user needs to login to my website then fitbit even though they are logged into my app.

 

The downside to the implicit grant flow seems that if i get the token on my client, pass that to me server for storage, then that token can expire quite often and I would need to reprompt the user to connect to fitbit all the time.

 

Any guidance here is appreciated.

Jon

Launching Fitbit Challenges on ChallengePals dot com very soon. Would love to hear what challenges you would like!
Best Answer
Labels:
0 Votes
1 REPLY 1

‎08-12-2015 04:20

‎08-12-2015 04:20

I figured out a way to send the user to my website in Mobile Safari from the Mobile App, initiate the server side Authorization Code Grant Flow and then redirect from my server as a deep link into my app once the Authorization Code Grant flow is complete.

 

Client Secret is all on the server and I get refresh tokens.

 

With Authorization Code Grant Flow and refresh tokens can my app call on behalf of the user indefenitley without the need to have the user reauth my app? (barring that they remove my app from either my side or fitbit)

 

 

Thanks!

Jon

Launching Fitbit Challenges on ChallengePals dot com very soon. Would love to hear what challenges you would like!
Best Answer
0 Votes