help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

OAuth authorization request using GET

ANSWERED

‎05-04-2015 06:18 - edited ‎05-04-2015 06:20

‎05-04-2015 06:18 - edited ‎05-04-2015 06:20

I am using an iOS library that seems to send the intial authorization request via GET instead of POST. The Fitbit documentation indicates that the initial authorization request should be a POST but the library I am using for OAuth (Googles gtm-oauth) seems to default to GET unless there is postData or a postStream along with the request.

 

Am I missing something, or is the library I am using and the Fitbit API not compatible?

Best Answer
Labels:
0 Votes
1 BEST ANSWER

Accepted Solutions

‎05-06-2015 12:07

‎05-06-2015 12:07

After switching to using TDOAuth over gtm-oauth I am now able to successfully progress through the oauth request flow in Objective-C. As far as I could tell gtm-oauth was not generating a valid oauth_signature value for the request being sent.

View best answer in original post

Best Answer
0 Votes
7 REPLIES 7

‎05-04-2015 10:37

‎05-04-2015 10:37

Which endpoint are you calling?

Best Answer
0 Votes

‎05-04-2015 10:45 - edited ‎05-04-2015 13:31

‎05-04-2015 10:45 - edited ‎05-04-2015 13:31

@aerickson wrote:

I am using an iOS library that seems to send the intial authorization request via GET instead of POST. The Fitbit documentation indicates that the initial authorization request should be a POST but the library I am using for OAuth (Googles gtm-oauth) seems to default to GET unless there is postData or a postStream along with the request.

 

Am I missing something, or is the library I am using and the Fitbit API not compatible?

Correct, it "should" be a POST, but we do support GET as well for compatibility with such libraries.

Best Answer
0 Votes

‎05-04-2015 13:24 - edited ‎05-04-2015 13:39

In response to SunsetRunner

‎05-04-2015 13:24 - edited ‎05-04-2015 13:39

So will I be able to send the oauth/authorization as a GET then? I was using the Fitbit API Debug Tool to try and narrow down the issue

 

This GET returned a 401 status, but a similar call using POST was successful

 

curl -X GET -i -H 'Authorization: OAuth oauth_consumer_key="MY_CLIENT_KEY", oauth_nonce="somerandomstring", oauth_signature="kJtewct3KKLYGl%2FT8F955LXaGeo%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1430712645", oauth_version="1.0"' https://api.fitbit.com/oauth/request_token

 

 

Its worth noting that the above call is no longer valid due to the now invalid signature and expired timestamp (and of course ommitted consumer key).

Best Answer
0 Votes

‎05-04-2015 13:30

In response to aerickson

‎05-04-2015 13:30

Keep in mind that the signature is different if you use GET vs POST. Its part of the Base String that is used to calculate the signature and the Debug Tool is using POST only.

Best Answer
0 Votes

‎05-04-2015 14:10 - edited ‎05-04-2015 18:06

In response to SunsetRunner

‎05-04-2015 14:10 - edited ‎05-04-2015 18:06

Agreed, what I was able to do was breakpoint on the error and look at the returned response. The response provided by the API seems to indicate that the oauth_signature is not being signed correctly

 

Here is a dump of the request headers:

{
    Authorization = "OAuth oauth_consumer_key=\"MY_CLIENT_KEY\", oauth_signature_method=\"HMAC-SHA1\", oauth_version=\"1.0\", oauth_nonce=\"15951771785938530859\", oauth_timestamp=\"1430773063\", oauth_signature=\"M57lnT19S33BWLeTN8kPDzdM7cM%3D\"";
}

(Had to take out my client key)

 

And the error information provided in the response:

"{"errors":[{"errorType":"oauth","fieldName":"oauth_signature","message":"Invalid signature: M57lnT19S33BWLeTN8kPDzdM7cM="}],"success":false}"

 

I cant imagine that the library is generating an incorrect signature so it must be something that I am doing wrong.

 

Are you able to see anything obviously incorrect from the information provided?

Best Answer
0 Votes

‎05-06-2015 12:07

‎05-06-2015 12:07

After switching to using TDOAuth over gtm-oauth I am now able to successfully progress through the oauth request flow in Objective-C. As far as I could tell gtm-oauth was not generating a valid oauth_signature value for the request being sent.

Best Answer
0 Votes

‎03-19-2025 02:43

‎03-19-2025 02:43

It sounds like a mismatch between the library's default behavior and Fitbit's API requirements. Maybe check if you can override the method. Some go to market examples suggest adapting strategies for compatibility.

Best Answer
0 Votes