help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Unable to use a callback url with a #

ANSWERED

‎10-04-2016 09:26

‎10-04-2016 09:26

my url can not be used as callback URL. is there a workaround ?

https://oq1mx5oh.pp.vuforia.io:8443/Thingworx/Runtime/index.html#mashup=FitbitAuth

 

Thanks

Best Answer
0 Votes
1 BEST ANSWER

Accepted Solutions

‎10-04-2016 10:44

‎10-04-2016 10:44

This is intentional.

 

You should use the 'state' parameter on the OAuth 2 Authorization Page. The state parameter will then be added to the redirect URI exactly as your application specified it when sending users to the Authorization Page. Note that if you are using the Authorization Code Grant Flow, you'll also need to send the 'state' parameter when making the Access Token Request.

View best answer in original post

Best Answer
0 Votes
5 REPLIES 5

‎10-04-2016 10:44

‎10-04-2016 10:44

This is intentional.

 

You should use the 'state' parameter on the OAuth 2 Authorization Page. The state parameter will then be added to the redirect URI exactly as your application specified it when sending users to the Authorization Page. Note that if you are using the Authorization Code Grant Flow, you'll also need to send the 'state' parameter when making the Access Token Request.

Best Answer
0 Votes

‎10-04-2016 11:29

In response to JeremiahFitbit

‎10-04-2016 11:29

But the returning URL does not contain the suffix "#mashup=xxx" which is
what i expect.

How can i achieve that ?

--
Laurent
Best Answer
0 Votes

‎10-04-2016 11:52

In response to Lolo91

‎10-04-2016 11:52

URL fragments (#stuff) are not allowed in redirect URIs. You need to use the 'state' parameter instead.

 

This is per the OAuth 2 RFC, as the Implicit Grant Flow uses URL fragments. Fitbit additionally removes them when using the Authorization Code Grant flow for security reasons related to Google and Facebook single sign on.

Best Answer
0 Votes

‎10-04-2016 12:09 - edited ‎10-04-2016 12:09

In response to JeremiahFitbit

‎10-04-2016 12:09 - edited ‎10-04-2016 12:09

When invoking the url, adding

&state=%23mashup%3DFitbitAuth

 

does not produce on a returning url suffixed with #mashup=FitbitAuth

Best Answer
0 Votes

‎10-04-2016 12:19

In response to Lolo91

‎10-04-2016 12:19

Correct, it won't. This is a defined OAuth 2.0 behavior. URL fragments are not permitted on the redirect URI. You have to use another method for representing this information, either in the URL path itself (e.g. https://example.com/auth/fitbit) or using the 'state' parameter.

 

Best Answer
0 Votes