Solved: Save Access Token

Ria2 · ‎02-05-2020

Hello,

I have a simple question.

After the user gives my app permission to access Fitbit data.

I retrieved the access token successfully. 🙂

What is the next step?

Should I save the (Access token) for every user in my database? or is it preferable to save it in the shared preferences?

I think it should be saved in a secure place, but I don't know what is the best way to do this.

Note :

I want to access the user data from server-side code also, so in this case, should I save it in DB?

to summarize: I will get the access token using my Android App, & I want to use the access token for both sides ( server and client side ).

Thank you for your time.

#Android #Java #WebAPI #Fitbit

JohnFitbit · ‎02-07-2020

Hi @Ria2,

Welcome to the forums!

It depends on which authorization flow you chose.

If you use the Authorization Code Grant Flow, access tokens and refresh tokens should be stored on your application. Your application will use the access token to make requests to the Fitbit API. It will use the refresh token to obtain a new access token when the access token expires without having to prompt the user.
If you used the Implicit Grant Flow, access tokens should only be stored on the device used to obtain the authorization. Unlike the Authorization Code Grant Flow, the refresh tokens are not issued with the Implicit Grant Flow. Refreshing a token requires the use of the client secret, which cannot safely be stored in distributed application code. When the access token expires, users will need to re-authorize your app.

I hope this helps. Please let me know if you have any additional questions.

View best answer in original post

JohnFitbit · ‎02-07-2020

Hi @Ria2,

Welcome to the forums!

It depends on which authorization flow you chose.

If you use the Authorization Code Grant Flow, access tokens and refresh tokens should be stored on your application. Your application will use the access token to make requests to the Fitbit API. It will use the refresh token to obtain a new access token when the access token expires without having to prompt the user.
If you used the Implicit Grant Flow, access tokens should only be stored on the device used to obtain the authorization. Unlike the Authorization Code Grant Flow, the refresh tokens are not issued with the Implicit Grant Flow. Refreshing a token requires the use of the client secret, which cannot safely be stored in distributed application code. When the access token expires, users will need to re-authorize your app.

I hope this helps. Please let me know if you have any additional questions.

Ria2 · ‎02-07-2020

Okay Thank you , this is almost the perfecr answer! Very useful:-)
But i still have simple inquery, when i save the access key (which retrieved by Implicit Grant flow ), should I save it in an encoded form?

JohnFitbit · ‎02-10-2020

@Ria2 The access token you receive through the implicit grant flow is already encoded when you receive it. If you'd like to see them decoded, you can use https://jwt.io/.

deiG · ‎07-17-2022

I have a question, too. I'm building a server-side application that allows users access via web browsers. I can save the access token for every user. But when a user visit, I can't know which user he is. Is there a way to tackle this?

p.asc.hk

Join us on the Community Forums!

Community Guidelines

Learn the Basics

Join the Community!

Not finding your answer on the Community Forums?

Go to the Help Site

Contact Support

Save Access Token

Ria2

JohnFitbit

JohnFitbit

Ria2

JohnFitbit

deiG