help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Re: Enquiry on Revoking of access token using client id and client credentials

ANSWERED

‎10-26-2019 04:08

‎10-26-2019 04:08

I am considering storing the access token and refresh token on my server side or locally on my mobile app.

 

If I choose to store it on the client side the attach area is reduced as a compromise of the keys will be done on a per user basics, but I will loose other capabilities such as subscription api. 

 

However storing it in my  backend side will give me the ability to use subscription apis and a lot of other things related to custom triggers on my fitbit watch face specific to a user.

 

But obviously if my server is compromised I might have to do a lock down (For protecting all user sensitive data). However if the attacked has already managed to get access to the refresh token and access token of all users by the time I detect the issue then users fitbit data might be compromised. Hence I am trying to find out if there is a possibility of doing a similar lock down on the fitbit side easily. 

Best Answer
0 Votes
1 BEST ANSWER

Accepted Solutions

‎11-04-2019 10:32

In response to benjosantony

‎11-04-2019 10:32

Hi @benjosantony 

 

Depending on how your application was compromised, you could look at resetting the client secret and/or revoking the client access tokens.  These can be done in your application settings of the dev.fitbit.com portal.

 

Screen Shot 2019-11-04 at 10.22.50 AM.png

 

When you reset your client secret, you will receive a new client secret and will need to modify the client secret in your code for your application to continue querying the APIs.

 

Revoking the client access tokens allows you to revoke all access tokens issued before a specified date.  The users who access tokens were revoked will need to reauthorize consent.

 

Both of these things are fairly drastic, but allow you to immediately protect your users, application and the data.  

 

It's been a long time since such issue has occurred.   When we discover your application has been compromised, we will work with you to determine the size of the impact, what caused the issue, the next steps to address the issue and prevent it from happening again, and how to communicate the problem to our mutual customers.  You can reach out to customer support at https://dev.fitbit.com/build/reference/web-api/help/, and we can take it from there.

 

Gordon

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google

View best answer in original post

Best Answer
3 REPLIES 3

‎10-28-2019 11:38

‎10-28-2019 11:38

Hi @benjosantony,

 

If you're worried about your system being compromised, I'd recommend using the Authorization Code Grant Flow and store the tokens on your server.  The access token is short lived and will expire after 8 hours.   You could use extra security of Authorization Code Grant Flow with PKCE, https://dev.fitbit.com/build/reference/web-api/oauth2/#authorization-code-grant-flow-with-pkce, for added security if your server application doesn't have the security of web services.  You'll want to store the access token and refresh tokens.  You'll need the access token to execute any API call.  The refresh token is used to get a new access token/refresh token pair once the access token has expired. 

 

I would suggest if your system is compromised, contact us so our security team can get involved to help assess the impact.     

 

 

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
Best Answer
0 Votes

‎10-30-2019 01:36

In response to Gordon-C

‎10-30-2019 01:36

Hi Gordon 

Thanks for the reply. 

 

As I highlighted in my question I am looking at a worst case scenario. As you pointed out for security reasons it is best to use use Authorization grant flow which is what I am planning to use 

 

But my question was what if my server gets compromised. (I am not planning to make my server easy to hack but regardless of the security measures I put in place there is always a possibility of a malory getting access to the access token and refresh token for atleast a period of time which could be used to in malicious ways, eg : Get a new access token and refresh token making the old one invalid or if the client id/secret is leaked malory could revoke the tokens etc ) 

 

So basically as far I understand if such a issue is detected it will be best to get in touch with fitibit as soon as possible.

 

May I enquire how what is your SOP when such issues are highlighted? 

Best Answer
0 Votes

‎11-04-2019 10:32

In response to benjosantony

‎11-04-2019 10:32

Hi @benjosantony 

 

Depending on how your application was compromised, you could look at resetting the client secret and/or revoking the client access tokens.  These can be done in your application settings of the dev.fitbit.com portal.

 

Screen Shot 2019-11-04 at 10.22.50 AM.png

 

When you reset your client secret, you will receive a new client secret and will need to modify the client secret in your code for your application to continue querying the APIs.

 

Revoking the client access tokens allows you to revoke all access tokens issued before a specified date.  The users who access tokens were revoked will need to reauthorize consent.

 

Both of these things are fairly drastic, but allow you to immediately protect your users, application and the data.  

 

It's been a long time since such issue has occurred.   When we discover your application has been compromised, we will work with you to determine the size of the impact, what caused the issue, the next steps to address the issue and prevent it from happening again, and how to communicate the problem to our mutual customers.  You can reach out to customer support at https://dev.fitbit.com/build/reference/web-api/help/, and we can take it from there.

 

Gordon

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
Best Answer