Revoking Authorization For Implicit Grant Flow

rbruchal · ‎07-14-2016

How can I revoke an access token obtained through implicit grant flow?

The documentation states:

"The Authorization header must be set to Basic followed by a space, then the Base64 encoded string of your application's client id and secret concatenated with a colon."

But with implicit grant flow you don't have the secret, by design.

Thanks,

- Rich

JeremiahFitbit · ‎07-14-2016

You use the client id and client secret in the Authorization header to revoke an access token.

You should only do this server side, as you should not put your client secret on devices you don't control.

rbruchal · ‎07-15-2016

So if I'm making an iOS app, I should be using implicit grant flow, correct? In that case, is there no way for the user to deauthorize directly from the app? I guess what I really want to do is to have the user be able to deauthorize the app if they choose.

JeremiahFitbit · ‎07-15-2016

Correct—your app should only revoke its own authorization via a server-to-server request.

People can also revoke access to apps they've authorized in their Fitbit settings.

Join us on the Community Forums!

Community Guidelines

Learn the Basics

Join the Community!

Not finding your answer on the Community Forums?

Go to the Help Site

Contact Support

Revoking Authorization For Implicit Grant Flow

rbruchal

JeremiahFitbit

rbruchal

JeremiahFitbit