help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

OAuth2 application type for Android app with backend web service

‎12-14-2020 09:01

‎12-14-2020 09:01

We are integrating the Fitbit API into our Android app.  However, to cut down on client side complexity, we planned use a web service on the back end to fetch user data.  The authorization code flow is initiated on the client using PKCE and a random state value.  We then send the refresh token to our server to handle data requests using client secret verification. 

What is the appropriate OAuth2 application type for this flow?  The client side PKCE only works with the application type set to “client”.  However, as all data is collected on the backend, “server” feels more appropriate.  Are there any downsides to setting the application type to “client”?

Best Answer
Labels:
0 Votes
1 REPLY 1

‎12-15-2020 09:21

‎12-15-2020 09:21

Hi @klandell_mssm 

 

If you're using a web service, then PKCE is not required and you should set the application type to "server".   Application type "client" is used for applications that don't use a web service.

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
Best Answer
0 Votes