help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Unable to revoke token

ANSWERED

‎09-23-2023 12:44 - edited ‎09-23-2023 13:48

‎09-23-2023 12:44 - edited ‎09-23-2023 13:48

Good evening devs,

In my webapp, I obtain an auth token and refresh token as described in https://dev.fitbit.com/build/reference/web-api/authorization/oauth2-token/, using the Authorization Code Grant Flow with PKCE (App Type: Client). This works perfectly.

Now I'm implementing logout functionality, to force to show the user Fitbit's login screen again. According to https://dev.fitbit.com/build/reference/web-api/authorization/revoke-token/ and https://community.fitbit.com/t5/Web-API-Development/Unable-to-revoke-token-when-using-PKCE/td-p/4324... it should be possible to revoke a users token, using only the public client ID and the refresh (or auth) token.

However, I'm unable to revoke the users token.

First I tried to pass the client_id and token as query params:

 

// AuthorizationService.ENDPOINT_REVOKE is set to: "https://api.fitbit.com/oauth2/revoke";
const headers = new HttpHeaders({'Content-Type':'application/x-www-form-urlencoded'});
const token = localStorage.getItem('fitbit_refresh_token'); //contains the refresh token // Checked and is present
const clientId = applicationConfig.activeClient // contains the correct 6 chars public client id. Checked it many times and it's the correct one
const body = {};
const result = await firstValueFrom(this.http.post(AuthorizationService.ENDPOINT_REVOKE + `?client_id=${clientId}&token=${token}`, body, {headers:headers}));

 

This results in a 404 response.

Then I passed the client_id and token as body params:

 

const headers = new HttpHeaders({'Content-Type':'application/x-www-form-urlencoded'});
const token = localStorage.getItem('fitbit_refresh_token');
const clientId = applicationConfig.activeClient
const body = {client_id:clientId, token:token};
const result = await firstValueFrom(this.http.post(AuthorizationService.ENDPOINT_REVOKE, body, {headers: headers}));

 

This results in the following 401 response:

 

{
"errors": [
{
"errorType": "invalid_client",
"message": "Client id invalid. Visit https://dev.fitbit.com/docs/oauth2 for more information on the Fitbit Web API authorization process."
}
],
"success": false
}

 

Tried everything, but I have no idea what I'm doing wrong. It looks like the problem described in the link above. It should work, but apparently I'm still doing something wrong. Anyone have any ideas?

Thanks in advance,

Robert

Best Answer
Labels:
0 Votes
1 BEST ANSWER

Accepted Solutions

‎09-23-2023 22:59

‎09-23-2023 22:59

Update:

It turned out I had to pass the body differently. For other Angular developers:

Replace 

const body = {client_id: clientId, token: token}

with

const body = new HttpParams({fromObject: {client_id: clientId, token: token}});

 Thanks anyway!

View best answer in original post

Best Answer
0 Votes
1 REPLY 1

‎09-23-2023 22:59

‎09-23-2023 22:59

Update:

It turned out I had to pass the body differently. For other Angular developers:

Replace 

const body = {client_id: clientId, token: token}

with

const body = new HttpParams({fromObject: {client_id: clientId, token: token}});

 Thanks anyway!

Best Answer
0 Votes