OAuth2 application type for Android app with backe...

klandell_mssm · ‎12-14-2020

We are integrating the Fitbit API into our Android app. However, to cut down on client side complexity, we planned use a web service on the back end to fetch user data. The authorization code flow is initiated on the client using PKCE and a random state value. We then send the refresh token to our server to handle data requests using client secret verification.

What is the appropriate OAuth2 application type for this flow? The client side PKCE only works with the application type set to “client”. However, as all data is collected on the backend, “server” feels more appropriate. Are there any downsides to setting the application type to “client”?

Gordon-C · ‎12-15-2020

Hi @klandell_mssm

If you're using a web service, then PKCE is not required and you should set the application type to "server". Application type "client" is used for applications that don't use a web service.

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google

Join us on the Community Forums!

Community Guidelines

Learn the Basics

Join the Community!

Not finding your answer on the Community Forums?

Go to the Help Site

Contact Support

OAuth2 application type for Android app with backend web service

klandell_mssm

Gordon-C