help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

OAuth2.0 access Token API not working properly

ANSWERED

‎06-03-2015 02:51

‎06-03-2015 02:51

Hi, i am a newbie with fitbit API and i am currently working to integrate it with another system using the new OAuth 2.0 authorization flow.

Currently i succeded in requesting the code to the authorize endpoint, that succesfully open my callback page in order for me to call the token endpoint (https://api.fitbit.com/oauth2/token) to request the access token.

Unfortunately the call for the token always answer with a 401 error (unauthorized), despite i pass all the required parameters, below you can find the input i use:

{"redirect_uri":"https%3A%2F%2F**************%2FFitBitCallback","grant_type":"authorization_code","code":"4aaafbe8c0316e9562e8d867468d09f242c8c9d6","client_id":"******"}

I pass the authorization header with the 'Basic "base64 cliend_id:secret"' like in the API spec and

the redirect_uri is exactly the same as the one in the fitbit application i created in my dev profile.

Could you pls lend me a hand in order to understand what' wrong?

 

Thanks

Andrea

 

Best Answer
Labels:
0 Votes
1 BEST ANSWER

Accepted Solutions

‎06-08-2015 01:10

In response to JeremiahFitbit

‎06-08-2015 01:10

Hi Jeremiah,

i was able to succesfully call the token service, anyway yes i was passing a json in the body and that was one of the issues.

 

In order to succcesfully call the service i had to send a string in the body (post parameter as you was saying) and overwrite some of the header parameter (the Host one was totally wrong).

 

Anyway now it's working properly.

 

Thanks

Andrea

View best answer in original post

Best Answer
0 Votes
10 REPLIES 10

‎06-03-2015 10:52

‎06-03-2015 10:52

You need to Base64 encode your clientid:secret string.

 

For example, if your client id was XYZ123 and your secret was abcdefghijklmnopqrstuvwyz, the Base64 encoded version of XYZ123:abcdefghijklmnopqrstuvwyz would be WFlaMTIzOmFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eXo=

Best Answer
0 Votes

‎06-03-2015 22:43

‎06-03-2015 22:43


Hi, i am currently working to integrate it with our health management application using the new OAuth 2.0 authorization flow. i got error like this, Fatal error: Class 'Oauth' not found. plz guide me how to configure oauth in my side..

Best Answer
0 Votes

‎06-04-2015 01:15

In response to JeremiahFitbit

‎06-04-2015 01:15

Hi Jeremiah

thanks for your response, i have already base64 encoded the client_id:secret (i was not very clear in my post but that was what i meant Smiley Happy), i have followed all of the instructions from the API docs for OAuth2.0, adding the headers and all, and in my log i can see the code as it is in the response from the authorization being passed in the token request correctly.

 

Also the redirect_uri is the same (apart from uri encoding) than the one in the application configuration.

 

Anyway i don't know if this can help but i have not yet registered a device with my account, i will do this in the next days.

 

If you need more info let me know and i will provide them asap.

 

Thanks

Andrea

Best Answer
0 Votes

‎06-04-2015 09:12

In response to AndAv

‎06-04-2015 09:12

I am keeping testing this and i was able to catch the response:

HttpResponse[Status=Unauthorized, StatusCode=401]
response body:[access_token=null, expires_in=null, refresh_token=null, token_type=null]
header: WWW-Authenticate value: OAuth realm="https%3A%2F%2Fapi010-g4.prod.dal05.fitbit.com"
header: Content-Language value: en-US
header: Vary value: Accept-Encoding
header: Cache-control value: no-cache, must-revalidate
header: Date value: Thu, 04 Jun 2015 15:46:47 GMT
header: Content-Length value: 132
header: Expires value: Thu, 01 Jan 1970 00:00:00 GMT
header: X-UA-Compatible value: IE=edge,chrome=1
header: Set-Cookie value: fhttps=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/;JSESSIONID=5973338BAF0D929E3694098C02B90119.fitbit1; Path=/; HttpOnly
header: Content-Type value: application/json;charset=UTF-8
header: Server value: nginx
header: Pragma value: no-cache

 

Let me know if you have some ideas to help me solve this issue...

 

Thanks

Andrea

Best Answer
0 Votes

‎06-04-2015 11:53

In response to AndAv

‎06-04-2015 11:53

Can you capture and share the request?

Best Answer
0 Votes

‎06-05-2015 02:29

In response to JeremiahFitbit

‎06-05-2015 02:29

Hi, this is what i captured:

 

HEADERS
Cache-Control: no-cache
Pragma: no-cache
Total-Route-Time: 0
Sfdc-Stack-Depth: 1
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
X-Request-Id: 6dcc8212-6a57-4ac0-8dbc-6e8123302241
Host: requestb.in
Via: 1.1 proxy-lon.net.salesforce.com (squid), 1.1 vegur
Connect-Time: 3
User-Agent: SFDC-Callout/33.0
Content-Length: 193
Authorization: Basic MjI5UVJMOmJjZmVkODYxMmU4NTliNzg1ZjUwZjk3NTAzMzdj****
Content-Type: application/x-www-form-urlencoded
Connection: close

FORM/POST PARAMETERS
{"redirect_uri":"https://eu5dev-developer-edition.eu5.force.com/FitBitCallback","grant_type":"authorization_code","co...

RAW BODY
{"redirect_uri":"https%3A%2F%2Feu5dev-developer-edition.eu5.force.com%2FFitBitCallback","grant_type":"authorization_code","code":"0fcb4b1f6a2425fb9e739a854e9d438085a403a3","client_id":"******"}

 

i hope this helps...

 

Thanks

Andrea

Best Answer
0 Votes

‎06-05-2015 05:56

In response to AndAv

‎06-05-2015 05:56

Hi, i found out that my system is adding all the header by himself (i use an ootb object to perform POST calls), and it is adding a wrong Host (as you can find in my previous post).

However overwriting the Host with the right one i am now receiving this from the API (note the underlined phrase):

[errors=(vArrErr:[errorType=oauth, fieldName=n/a, message=invalid_request, Missing grant_type parameter value]), success=false]

 

The problem is that i am passing the parameter in the body, so how is it possible that the API answer with that?

 

Thanks

Andrea

Best Answer
0 Votes

‎06-05-2015 10:51

In response to AndAv

‎06-05-2015 10:51

Looking at the raw body of your request, it appears that you are passing a JSON body instead of POST parameters.

Best Answer
0 Votes

‎06-08-2015 01:10

In response to JeremiahFitbit

‎06-08-2015 01:10

Hi Jeremiah,

i was able to succesfully call the token service, anyway yes i was passing a json in the body and that was one of the issues.

 

In order to succcesfully call the service i had to send a string in the body (post parameter as you was saying) and overwrite some of the header parameter (the Host one was totally wrong).

 

Anyway now it's working properly.

 

Thanks

Andrea

Best Answer
0 Votes

‎06-17-2015 06:27

In response to AndAv

‎06-17-2015 06:27

is it any confirmation for use secrte key and consumer key when use fitbit
api
Best Answer
0 Votes