12-14-2020 09:01
12-14-2020 09:01
We are integrating the Fitbit API into our Android app. However, to cut down on client side complexity, we planned use a web service on the back end to fetch user data. The authorization code flow is initiated on the client using PKCE and a random state value. We then send the refresh token to our server to handle data requests using client secret verification.
What is the appropriate OAuth2 application type for this flow? The client side PKCE only works with the application type set to “client”. However, as all data is collected on the backend, “server” feels more appropriate. Are there any downsides to setting the application type to “client”?
12-15-2020 09:21
12-15-2020 09:21
If you're using a web service, then PKCE is not required and you should set the application type to "server". Application type "client" is used for applications that don't use a web service.