help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Settings OAuth Button using Auth Code Flow w/ PKCE & S256

ANSWERED

‎02-13-2021 14:29 - edited ‎02-13-2021 14:30

‎02-13-2021 14:29 - edited ‎02-13-2021 14:30

I'm trying to implement the OAuth settings component using the Authorization Code Flow w/ PKCE with my OAuth provider. It almost works, except that the `code_challenge_method` parameter is set to "plain", which isn't supported in a few identity services like Auth0 or Okta.

 

Is there any support on this or should I resort to using the client credentials flow (client id and secret) -- and is it safe to assume that the client secret can be safe hard-coded as such? Help is much appreciated, thank you!

Creator of Pixels on Ridge. Just building fun stuff. Check out some of my Fitbit libraries like fitbit-settings or fitbit-core to help accelerate your development.
Best Answer
0 Votes
1 BEST ANSWER

Accepted Solutions

‎02-25-2021 11:42

In response to brh55

‎02-25-2021 11:42

You might be better off posting in this forum. However, I think the news might not be good. ☹️

Peter McLennan
Gondwana Software

View best answer in original post

Best Answer
4 REPLIES 4

‎02-24-2021 19:26

‎02-24-2021 19:26

Hi @brh55 

 

"code_challenge_method = plain" is the default setting.  You can change it to S256.   Here's the information on that connection option listed in our documentation

 

For use with PKCE support only. Defaults to plain if not present in the request. Code verifier transformation method is S256 or plain.

Default = plain
Optional
Type: string

 

If Okta or Auth0 does not support S256 please let us know.   

 

Unfortunately, the client credentials flow does not allow for retrieving Fitbit user data.   The next safest option would be to use Authorization Code Grant Flow (without PKCE).

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
Best Answer
0 Votes

‎02-25-2021 07:43

In response to Gordon-C

‎02-25-2021 07:43

Hey @Gordon-C

This is in regards to the Settings API / OAuth Button Component - https://dev.fitbit.com/build/reference/settings-api/#oauth-button

I don't see any parameter to override that code_challenge_method.

Creator of Pixels on Ridge. Just building fun stuff. Check out some of my Fitbit libraries like fitbit-settings or fitbit-core to help accelerate your development.
Best Answer
0 Votes

‎02-25-2021 11:42

In response to brh55

‎02-25-2021 11:42

You might be better off posting in this forum. However, I think the news might not be good. ☹️

Peter McLennan
Gondwana Software
Best Answer

‎02-25-2021 11:44

In response to Gondwana

‎02-25-2021 11:44

Opps, I didn't realize I posted on Web API Development! I'll repost this on the correct forum.

Creator of Pixels on Ridge. Just building fun stuff. Check out some of my Fitbit libraries like fitbit-settings or fitbit-core to help accelerate your development.
Best Answer
0 Votes