Cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Oauth2 for python script

Hi all,

 

I need to program a Python script that periodically query the fitbit API to get some heart rate measurements.

So I tried to implement the flow described in the fitbit Oauth 2.0 tutorial page in Python, but again I got a problem. When I visit the authorise page (https://www.fitbit.com/oauth2/authorize...), it redirects me to the login page. And this is understandable, as I don't have any cookie passed to the request to authorize to tell I'm still "logged in" (thing that doesn't happen in the browser). On the other hand, if I try to log in with my credential, I get a 200 OK response, but there's no way of passing the cookies I get in that case to the following authorize request.

I report a snipped of code of what I'm trying to do

import requests

# attempt 1
# this return a 200 OK response with a history of 1 redirect to the login page (see next request)
resp_auth = requests.get("https://www.fitbit.com/oauth2/authorize?response_type=token&client_id=[myId]&redirect_uri=[redirect_uri]&scope=activity%20heartrate%20location%20nutrition%20profile%20settings%20sleep%20social%20weight&expires_in=604800")

# attemp 2
# I could get the login url from resp_auth.history[0].headers["Location"]
# this return a 200 OK response, with a lot of cookies in the header, but no redirect
resp_login = requests.post("https://www.fitbit.com/login?disableThirdPartyLogin=true&redirect=%2Foauth2%2Fauthorize%3Fclient_id%3D[myID]%26expires_in%3D604800%26redirect_uri=[redirect_uri]%26response_type%3Dtoken%26scope%3Dactivity%2Bheartrate%2Blocation%2Bnutrition%2Bprofile%2Bsettings%2Bsleep%2Bsocial%2Bweight%26state",data={"username":"mymail@login.com","password":"mypass"})

# trying to pass the cookie in the authorize request header
# this still redirects me to the login page, no redirection to the callback url
resp_auth_cookies = requests.get("https://www.fitbit.com/oauth2/authorize?response_type=token&client_id=[myId]&redirect_uri=[redirect_uri]&scope=activity%20heartrate%20location%20nutrition%20profile%20settings%20sleep%20social%20weight&expires_in=604800", cookies=resp_login.cookies)

Any clue?

 

PS: I already tried with other oauth2 libraries, such as requests-oauth2, but they still require doing the redirection by hand, so they don't help.

 

Best Answer
0 Votes
5 REPLIES 5

I'm not 100% sure what you're trying to do, but to persist cookies and such that you've collected, I think you need to use requests.session.  Python documentation here

 

Also as an FYI, I suggest that you take out the two links you have in your question, as they have sensitive information in them.

Best Answer
0 Votes

Thank you for pointing out the link thing, and sorry if my explanation was a little bit cloudy. 

Basically, I'm trying to program a python script which wake up every amount of time (let say every 1 hour), and query the API to get some data.

The problem is that in that hour, any access token or refresh token might have expired. As far as I understood, when they are all expired, there's no procedure to gain access to the API but re-obtaining the code through the initial authorize/redirect procedure and then re-ask for the tokens. Now, in order to perform the authorize/redirect procedure (or better, to get the right redirection where you can get the code) you need to be logged in, and this causes al the cookie problems.

Probably there's a correct way to deal with this problem, maybe using the client secret or, which I don't know (for example, with the Twitter oauth2 it is enough to save one of the tokens, that never expires).

Best Answer
0 Votes

What I was confused about is what oAuth 2 procedure you're using: Implicit Grant Flow or Authorization Code Grant Flow.  Both are specified in Fitbit's documentation on how they work.  If you get both access tokens and refresh tokens, then it sounds like you're using Authorization Code Grant Flow, right?

 

In Authorization Code Grant Flow, Fitbit's documentation says (from here😞

 

access tokens have an eight-hour lifetime by default.

and

A refresh token does not expire until it is used. A refresh token can only be used once, as a new refresh token is returned with the new access token.

So, once you've gotten the code the first time, you will get your access token, which expires in 8 hours, and your refresh token, which doesn't expire until it's used (much like the Twitter oAuth2 you describe).  You can then use this refresh token the next time you want to fetch data, to get a new access token and refresh token, and you don't need to be logged in at all.  To get the code the first time, however, you do need the user to log in, and that's where you may need Python's request.session.  It sounds like you've figured that part out, though.  Hopefully the explanation helps.

 

Best Answer
0 Votes

you ever figure this out?

Seems like im stuck in the same situation.  Trying to grab my own data through a non website python script... and it takes me to the login/consent page... its like.. wtf.

Best Answer
0 Votes

@SQLDeveloper 

As described earlier, the first time you obtain the access token, you will be prompted with the consent screen, even if your application type is set to "personal" and you're querying your own data.  

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
Best Answer
0 Votes