Cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

OAuth2 application type for Android app with backend web service

We are integrating the Fitbit API into our Android app.  However, to cut down on client side complexity, we planned use a web service on the back end to fetch user data.  The authorization code flow is initiated on the client using PKCE and a random state value.  We then send the refresh token to our server to handle data requests using client secret verification. 

What is the appropriate OAuth2 application type for this flow?  The client side PKCE only works with the application type set to “client”.  However, as all data is collected on the backend, “server” feels more appropriate.  Are there any downsides to setting the application type to “client”?

Best Answer
0 Votes
1 REPLY 1

Hi @klandell_mssm 

 

If you're using a web service, then PKCE is not required and you should set the application type to "server".   Application type "client" is used for applications that don't use a web service.

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
Best Answer
0 Votes