Solved: Salesforce Fitbit auth process

shoxx · ‎08-10-2021

I'm working on integration between Salesforce and Fitbit, and I need to connect Users (Patients) from Salesforce with their Fitbit accounts/devices. In the authentication process I need to redirect Patient from Salesforce to Fitbit authentication page and I need to extract Auth Code from Fitbit. So, I created two pages in Salesforce, first one will contain User ID (in my case Patient ID). Next comes redirection from this page to Fitbit authentication page where Patient allowes scopes and after that it redirects Patient to the second Salesforce page with Auth Code attached. So, I wanted to ask is it possible somehow to include Patient ID in redirection URL (from first page to Fitbit), like this: "https://www.fitbit.com/oauth2/authorize?response_type=code&client_id=23B7VQ &patientID=12345&redirect_uri=https://myorg.visualforce.com/apex/GrabAuthCode&scope=activity%20heartrate%20nutrition " and to get this same patientID with Auth Code?

Patient ID disappears in the redirection process and I just get Auth code like this --> " https://myorg.visualforce.com/apex/GrabAuthCode? code=e855cb24639195bd4c4f00059413f3335344ca63#_=_ "
So, is there a way to send patientID to Fitbit in redirection link and get it back with Auth code?

Thank you!

GordonFitbit · ‎08-11-2021

Hi @shoxx

There are 2 ways that you can link the Fitbit user ID to your patient ID

1. When the patient logs into your application, you know the patient ID of that person. From within the user's account, you should initiate the authorization flow for Fitbit. When consent is granted, we provide the Fitbit user ID when exchanging the authorization code for the access token. At that point, you know the Fitbit user ID, which you can link the both together.

2. The state parameter (optional) might help here. This parameter is added to the redirect URL exactly as your application specifies it. You could include the Patient ID as the state parameter's value. I'd recommend you provide some sort of strong encryption on the value. Otherwise, a third-party who is snooping the communication wouldn't have clear access to the user's patient ID and fitbit user id. See https://dev.fitbit.com/build/reference/web-api/oauth2/#authorization-page.

Gordon

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google

View best answer in original post

GordonFitbit · ‎08-11-2021

Hi @shoxx

There are 2 ways that you can link the Fitbit user ID to your patient ID

1. When the patient logs into your application, you know the patient ID of that person. From within the user's account, you should initiate the authorization flow for Fitbit. When consent is granted, we provide the Fitbit user ID when exchanging the authorization code for the access token. At that point, you know the Fitbit user ID, which you can link the both together.

2. The state parameter (optional) might help here. This parameter is added to the redirect URL exactly as your application specifies it. You could include the Patient ID as the state parameter's value. I'd recommend you provide some sort of strong encryption on the value. Otherwise, a third-party who is snooping the communication wouldn't have clear access to the user's patient ID and fitbit user id. See https://dev.fitbit.com/build/reference/web-api/oauth2/#authorization-page.

Gordon

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google

Join us on the Community Forums!

Community Guidelines

Learn the Basics

Join the Community!

Not finding your answer on the Community Forums?

Go to the Help Site

Contact Support

Salesforce Fitbit auth process

shoxx

GordonFitbit

GordonFitbit