help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Request_token and access_token both work, post fails

‎06-22-2014 19:05

‎06-22-2014 19:05

I'm trying to get FB oauth running in an iOS app. I'm able to successfully make the request_token and access_token calls, but subsequent attempts to actually post data always fail with an invalid_sigature error.

 

Here's the error:

 

 

{"errors":[{"errorType":"oauth","fieldName":"oauth_signature","message":"Invalid signature: bmOOtH3Rb4Uoi66yE9V6fM0GjJc="}],"success":false}

 

from this call: 

oauth_consumer_key:  [##-this-is-my-consumer-key-##]

oauth_nonce: 650493950

oauth_signature_method: HMAC-SHA1

oauth_timestamp: 1403489016

oauth_token: 919a148254e19383842eba8545b24f9a

oauth_version: 1.0

 

Result: POST&https%3A%2F%2Fapi.fitbit.com%2F1%2Fuser%2F-%2Factivities.json&oauth_consumer_key%3D [##-this-is-my-consumer-key-##]%26oauth_nonce%3D650493950%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1403489016%26oauth_token%3D919a148254e19383842eba8545b24f9a%26oauth_version%3D1.0

Encoded: bmOOtH3Rb4Uoi66yE9V6fM0GjJc=

 

 

Here are the ways I'm generating the various signatures (note that these are from a different run of the app than what's above):

 

Token Request:
oauth_consumer_key: [##-this-is-my-consumer-key-##]
oauth_nonce: 1112251665
oauth_signature_method: HMAC-SHA1
oauth_timestamp: 1403488515
oauth_version: 1.0

Result: POST&https%3A%2F%2Fapi.fitbit.com%2Foauth%2Frequest_token&oauth_consumer_key%3D[##-this-is-my-consumer-key-##]%26oauth_nonce%3D1112251665%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1403488515%26oauth_version%3D1.0
Encoded: bsEhI93QxUw0DkMACH5/ApWKLCk=


Access Request:
oauth_consumer_key: [##-this-is-my-consumer-key-##]
oauth_nonce: 607151652
oauth_signature_method: HMAC-SHA1
oauth_timestamp: 1403488538
oauth_token: 889d83911124adba5420ec4f51ad738b
oauth_verifier: lc50p7jhhgea1if0hukj4saqso
oauth_version: 1.0

Result: POST&https%3A%2F%2Fapi.fitbit.com%2Foauth%2Faccess_token&oauth_consumer_key%3D[##-this-is-my-consumer-key-##]%26oauth_nonce%3D607151652%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1403488538%26oauth_token%3D889d83911124adba5420ec4f51ad738b%26oauth_verifier%3Dlc50p7jhhgea1if0hukj4saqso%26oauth_version%3D1.0
Encoded: Vifsf1QCIyZ25uk7sN8le3UEp98=

 

POST request:
oauth_consumer_key: [##-this-is-my-consumer-key-##]
oauth_nonce: 714024649
oauth_signature_method: HMAC-SHA1
oauth_timestamp: 1403488538
oauth_token: a4e03XXXac494398962b3952a152d7c6
oauth_version: 1.0

Result: POST&https%3A%2F%2Fapi.fitbit.com%2F1%2Fuser%2F-%2Factivities.json&oauth_consumer_key%3D[##-this-is-my-consumer-key-##]%26oauth_nonce%3D714024649%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1403488538%26oauth_token%3Da4e0393bac494398962b1895a152d7c6%26oauth_version%3D1.0
Encoded: zBJo00xzmmpwjvGmFiRk7JmekVA=

 

Am I missing something obvious here?

 

Thanks!

Ben

Best Answer
0 Votes
8 REPLIES 8

‎06-23-2014 09:00 - edited ‎06-23-2014 09:01

‎06-23-2014 09:00 - edited ‎06-23-2014 09:01

Ben.

Can you please explain what are trying to do with request you're making?

 

Seems that you trying to post an activity how ever you don't pass any parameters to post.

If you want to read data then you have to use GET instead of POST.

 

 

Please check here for examles for possible requests: https://wiki.fitbit.com/display/API/API+Explorer

 

Also beware, once you've got issued an access token make sure you save it somewhere so you can pull it out later. If you request a new access token, previous one will be invalidated.

 

Ivan Bahdanau
Senior Software Developer at Fitbit
Best Answer
0 Votes

‎06-23-2014 09:23

In response to ibahdanau

‎06-23-2014 09:23

I'm trying to post an activity (steps, to be exact). Here's the full URL I'm using:

 

https://api.fitbit.com/1/user/-/activities.json?activityId=90013&startTime=15%3A50&durationMillis=60...

 

I'm caching the request token, the reason there are repeated token requests in the sample is that I'm trying to figure this problem out, so I keep wiping out my saved data :-)

 

Thanks!

Ben

Best Answer
0 Votes

‎06-23-2014 10:25

In response to BenGottlieb

‎06-23-2014 10:25

@BenGottlieb wrote:

{"errors":[{"errorType":"oauth","fieldName":"oauth_signature","message":"Invalid signature: bmOOtH3Rb4Uoi66yE9V6fM0GjJc="}],"success":false}

 

from this call: 

oauth_consumer_key:  [##-this-is-my-consumer-key-##]

oauth_nonce: 650493950

oauth_signature_method: HMAC-SHA1

oauth_timestamp: 1403489016

oauth_token: 919a148254e19383842eba8545b24f9a

oauth_version: 1.0

 

Result: POST&https%3A%2F%2Fapi.fitbit.com%2F1%2Fuser%2F-%2Factivities.json&oauth_consumer_key%3D [##-this-is-my-consumer-key-##]%26oauth_nonce%3D650493950%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1403489016%26oauth_token%3D919a148254e19383842eba8545b24f9a%26oauth_version%3D1.0

Encoded: bmOOtH3Rb4Uoi66yE9V6fM0GjJc=

I could not find a user with the token "919a148254e19383842eba8545b24f9a"

What do you mean by caching the request token? The request token can only be used to get an access token and once you get the access token, it should be discarded.

Best Answer
0 Votes

‎06-23-2014 10:46

In response to SunsetRunner

‎06-23-2014 10:46

Sorry, I mispoke, I'm caching the access_token (returned from the /access_token call as the oauth_token field. I just re-did my auth, and my current access token is "7cab53e8f2f6d1d2842e4691490b49a7"

Best Answer
0 Votes

‎06-23-2014 11:29

In response to BenGottlieb

‎06-23-2014 11:29

This token does not exissts in our system too.

 

How are you getting the access token? Is it steps D-E: https://wiki.fitbit.com/display/API/OAuth+Authentication+in+the+Fitbit+API#OAuthAuthenticationintheF... ?

Ivan Bahdanau
Senior Software Developer at Fitbit
Best Answer
0 Votes

‎06-23-2014 11:34

In response to ibahdanau

‎06-23-2014 11:34

The access_token is returned after I make call "E", (the server response is then "F"). The first message in the thread shows the order of calls I make, I just changed the paramters a bit to protect my keys. 

Best Answer
0 Votes

‎06-23-2014 12:57

In response to BenGottlieb

‎06-23-2014 12:57

Ah, nevermind I see your token now...

Ivan Bahdanau
Senior Software Developer at Fitbit
Best Answer
0 Votes

‎06-23-2014 13:56

In response to ibahdanau

‎06-23-2014 13:56

Can you please send me in a private message the request that you're making so I can validate that the signature you're generating is correct.

Ivan Bahdanau
Senior Software Developer at Fitbit
Best Answer
0 Votes