Hello,

In my case, I get a HTTP 400 error while invoking the access token service.

well well well, i just noticed that all my access codes are suffixed with "#success".

It is probably the issue.

This is the issue.

After authenticating on the fitbit webpage, my callback url is now :

http://logincallback?state=ba71e7df-f151-4a24-8b7e-19767e575fb5&code=16c5092d8296xxxxxxx74360017dad9080cf#success

the issue is that the parameter code is now appended with "#success".

I checked my app logs, this behaviour has appeared yesterday only.

By removing this part of the code, i'm able to get my access tokens again.

@OlivierS: The URI fragment is never sent to a server. Are you getting the 'code' value client side?

It's a native Android app.

The process i'm using is the following :

-the user starts the android app and request to authenticate

-the web browser (native browser or chrome custom tabs) opens for login (fitbit login page).

-the redirect uri is a custom url scheme that is opened locally by my app.

-the callback containing the authentication code fires my app back.

-the code is extracted from the callback sent to my web server by a secured rest service.

-the access token and refresh token are obtained server side from the fitbit access token service (with my app id and secret) and stored server side.

Is there a problem with this process ?

Why do you have the Authorization Page redirect to your native app instead of directly to your webserver?

I need to go back to my app (launch an activity) after the fitbit login page.

By setting a custom url scheme and a local redirect like redirect_uri=myapp://logincallback?code=XXXX, my app regains control of the the flow.

The activity that receive the callback just forward the oauth2 code to my webserver.

What's the problem with that ?

This flow is more typical:

1. Your native app opens the Authorization Page
2. Fitbit redirects the user to your webserver, which does the code exchange
3. Your webserver redirects back to your native app using your custom URI scheme containing the Fitbit access token

Thanks for your really quick answer. 

That was my 2nd idea indeed, but i didn't implement that.

I can change it, but i don't see a major difference. Do you?

The main advantage is that it'd be easier to add validation logic (did the person actually give you all of the scope that you requested?) or guarantee the code-to-access token exchange is successful.

Hi Jeremiah, 

In our case, we can not pass response to our web-server application, because it use Rest approach and parameters are pass in the uri, as path variables, as far as I know fitbit support only one redirect_uri per application.
We also faced with #success problem, but on iOS platform, can we pass any additional parameter that will replace this postfix?
Thanks in advance,

Hi,

I am trying the following:

1. My native app opens the Authorization Page
2. Fitbit redirects the user to your webserver, which does the code exchange and then it should return back to my app. I have added redirect url when I call fitbit login page.

I get succesfully redirected to fitbit login page then it goes through multiple redirects and lands to a page with already_redirected=true_#_ and never calls back my redirect url.

What could be the problem here?

Thanks.

I'm having the same problem. I've even just followed the flow from within the interactive oauth webpage with the same results.

@welbe: Please describe the HTTP requests being made, where they are being made (Web browser, Web server, native app, etc) and the responses you're receiving.

I've narrowed down the variables.

Apparently if the first fitbit URL contains my redirect_url then I get an invalid code. If it just has '' then the parameter is ignored and I get a valid code.

If a redirect_uri is specified in the Authorization Page URL, it must be specified again when you do the Access Token Request.

While optional, you are strongly encouraged to specify the redirect_uri as a best practice.