10-04-2016 09:26
10-04-2016 09:26
my url can not be used as callback URL. is there a workaround ?
https://oq1mx5oh.pp.vuforia.io:8443/Thingworx/Runtime/index.html#mashup=FitbitAuth
Thanks
Answered! Go to the Best Answer.
10-04-2016 10:44
10-04-2016 10:44
This is intentional.
You should use the 'state' parameter on the OAuth 2 Authorization Page. The state parameter will then be added to the redirect URI exactly as your application specified it when sending users to the Authorization Page. Note that if you are using the Authorization Code Grant Flow, you'll also need to send the 'state' parameter when making the Access Token Request.
10-04-2016 10:44
10-04-2016 10:44
This is intentional.
You should use the 'state' parameter on the OAuth 2 Authorization Page. The state parameter will then be added to the redirect URI exactly as your application specified it when sending users to the Authorization Page. Note that if you are using the Authorization Code Grant Flow, you'll also need to send the 'state' parameter when making the Access Token Request.
10-04-2016 11:29
10-04-2016 11:29
10-04-2016 11:52
10-04-2016 11:52
URL fragments (#stuff) are not allowed in redirect URIs. You need to use the 'state' parameter instead.
This is per the OAuth 2 RFC, as the Implicit Grant Flow uses URL fragments. Fitbit additionally removes them when using the Authorization Code Grant flow for security reasons related to Google and Facebook single sign on.
10-04-2016 12:09 - edited 10-04-2016 12:09
10-04-2016 12:09 - edited 10-04-2016 12:09
When invoking the url, adding
&state=%23mashup%3DFitbitAuth
does not produce on a returning url suffixed with #mashup=FitbitAuth
10-04-2016 12:19
10-04-2016 12:19
Correct, it won't. This is a defined OAuth 2.0 behavior. URL fragments are not permitted on the redirect URI. You have to use another method for representing this information, either in the URL path itself (e.g. https://example.com/auth/fitbit) or using the 'state' parameter.