07-06-2015 12:25 - edited 07-06-2015 12:39
07-06-2015 12:25 - edited 07-06-2015 12:39
Hi,
I have users using OAuth1.0 and I am planning to migrate them to OAuth2.0 without having them go through the complete flow. I will be using the refresh token exchange to do this migration as suggested by Fitbit in api docs. However, I also want to get the heart rate data. The api docs say that
"This will allow an application to upgrade to OAuth 2.0 without requiring users to go through the authorization flow unless the application would like to request access to heart rate and location data"
Does it mean that - if my application users want to access their heart rate data - they have to go through complete OAuth workflow again though their credentials are migrated from 1.0 to 2.0 at backend ??
Shouldn't the access be given to all available scopes after this migration ?
07-06-2015 15:03
07-06-2015 15:03
@aditya14641 I think Fitbit has made it very clear that apps will not get access to heart rate data without the user specifically approving the request. So you are correct, while you can migrate them from 1.0 to 2.0, you won't get access to the heart rate data unless they go through the process with the additional scope. I know I certainly don't want all the old applications I have approved under 1.0 to automatically get access to my heart rate data. (I actually wish I much more granular control over what they could access/change.)
07-06-2015 15:53
07-06-2015 15:53
So will the user be given privilege to remove other scopes while user is going through complete OAuth process for heart rate scope ?
07-06-2015 15:59
07-06-2015 15:59
No they can either approve or deny the request as a whole. (I.e. if you ask for something they don't want to share, you don't get anything.)
07-13-2015 17:24
07-13-2015 17:24
@aditya14641 wrote:
So will the user be given privilege to remove other scopes while user is going through complete OAuth process for heart rate scope ?
Users will have the option to not grant any scope your app requests. (Each scope has a checkbox beside it. Currently, some scope appear as a bullet, but all will be a checkbox by the end of the beta.) You will need to confirm that the user actually gave you scope you requested. Scope is returned in the callback.