12-02-2015 23:48
12-02-2015 23:48
Hi,
So here is my problem: I made this app that logs water consumption on your fitbit account.
If I use this app on only one mobile device, say a phone, it works quite well and the authentication procedure is flawless.
However, I install the same app on my tablet, connect with the same account, it will work on the tablet but on the phone I will get a "Refresh token invalid or expired" error.
I believe the problem is that there is no way to specify a device id anywhere during the authentication and thus the authentication on the tablet return a new refresh token that invalidates the refresh token on the phone and the user has to proceed with the full authentication flow on the phone again, which invalidates the one on the tablet and so on.
Could you tell me what I should do in order to circumvent this issue?
Thanks a lot in advance.
Answered! Go to the Best Answer.
12-03-2015 10:18
12-03-2015 10:18
You should *never* distribute your client secret. If you're refreshing tokens in a mobile app, then you're distributing your client secret. This means that someone could decompile your app, get your client secret, and impersonate your app.
You should be using the Implicit Grant Flow instead.
If you want to refresh the token, you will need to have a web app component that manages the access tokens.
12-03-2015 03:47
12-03-2015 03:47
@TheYann wrote:Hi,
So here is my problem: I made this app that logs water consumption on your fitbit account.
If I use this app on only one mobile device, say a phone, it works quite well and the authentication procedure is flawless.
However, I install the same app on my tablet, connect with the same account, it will work on the tablet but on the phone I will get a "Refresh token invalid or expired" error.
I believe the problem is that there is no way to specify a device id anywhere during the authentication and thus the authentication on the tablet return a new refresh token that invalidates the refresh token on the phone and the user has to proceed with the full authentication flow on the phone again, which invalidates the one on the tablet and so on.
Could you tell me what I should do in order to circumvent this issue?
Thanks a lot in advance.
You're creating a new token on the tablet and mobile devices respectively. That means that the API has to regenerate a new access/refresh token combination for you when you switch devices.
What you can do is share the tokens between the applications with your own API. Store it in a database, then on start-up do a net request to your API to get the tokens, then refresh them if necessary.
FitBit authorizes application requests, rather than device-specific requests, so you can share the tokens between devices, as long as you use the same application to access FitBit.
12-03-2015 03:53
12-03-2015 03:53
Yeah but that would require me to have my own back-end and handle all that complexity.
My own back-end would mean database + authentication system ... all I want is to log water consumption.
So no I don't think this is a good solution for my need.
It would be much simpler to have some differentiator id in the auth request directly, that could be a device id.
Is there any other solution possible?
12-03-2015 03:58
12-03-2015 03:58
12-03-2015 04:19
12-03-2015 04:19
Ok I guess that would work for a phone vs tablet differenciation, but if I swap phones I'm back to square one.
This not an acceptable solution. How hard could it be to add an extra "device id" parameter?
12-03-2015 10:18
12-03-2015 10:18
You should *never* distribute your client secret. If you're refreshing tokens in a mobile app, then you're distributing your client secret. This means that someone could decompile your app, get your client secret, and impersonate your app.
You should be using the Implicit Grant Flow instead.
If you want to refresh the token, you will need to have a web app component that manages the access tokens.
12-03-2015 11:47
12-03-2015 11:47
Ok thanks for this, I will try the implicit grant flow.
12-06-2015 15:13
12-06-2015 15:13
JeremiahFitbit wrote:If you want to refresh the token, you will need to have a web app component that manages the access tokens.
That would be because of the application <=> user account access token.
Implicit is definitely the way to go, however, implicit or authorization can be done if making requests through a web application, rather than making them directly from the mobile app. I think that this is the way that the user should go if they want to support multiple devices on the same application, especially if the callback uri is the same anyway.
12-07-2015 05:26
12-07-2015 05:26
Thanks a bunch Jeremiah and jmitchell for your suggestions and help in this matter.
Indeed thanks to you guys I have a better understanding of oauth2, and implicit is absolutly what I should have done from the get go.
I almost feel smart now 🙂 Thanks a lot.