help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Unknown redirect_uri

‎08-02-2016 01:32

‎08-02-2016 01:32

What should I set for redirect_uri when I don't know what it is?

 

My plugin for HomeSeer uses HomeSeers own web server, and can't know all the URIs the users have. It might be "http://localhost", "http://localhost:81", "http://some.public.ip" or any other combination you can think of.

Best Answer
Labels:
0 Votes
3 REPLIES 3

‎08-02-2016 09:37

‎08-02-2016 09:37

All redirect_uri values must be stored in your app settings on https://dev.fitbit.com/apps . This is an important security requirement, as otherwise an evil-doing app could hijack your app's authorizations.

 

Best Answer
0 Votes

‎08-02-2016 23:28 - edited ‎08-02-2016 23:29

In response to JeremiahFitbit

‎08-02-2016 23:28 - edited ‎08-02-2016 23:29

If it's so much safer or not I'm sure can be discussed at length, but to me (or rather; my users) this represents a huge problem.

 

And the question still remains: What do you do when you don't know the redirect_uri because you are essentially developing a web server plugin?

Best Answer
0 Votes

‎08-03-2016 17:41

In response to Moskus

‎08-03-2016 17:41

@Moskus wrote:

If it's so much safer or not I'm sure can be discussed at length

This is called an open redirect and it's a well documented security risk.

 

@Moskus wrote:

And the question still remains: What do you do when you don't know the redirect_uri because you are essentially developing a web server plugin?

I'm not familiar with what your app does or how it works, but it seems like a less typical use case. Most third-party applications using the Fitbit Web API are operators of their application—either as a service or as a distributed application that can be invoked via a custom URL scheme (e.g. myapp://auth/fitbit/done).

 

Fitbit does not yet offer an OOB (out of bands) OAuth 2.0 flow. This is a flow typically used for TV apps, but could be used in a situation where the redirect_uri is unknown. This would be a flow that results in a short code displayed on the screen that a user could then copy/paste or type into a confirmation screen to complete the authorization.

 

If you are developing software for people to run on their own servers, they could register for their own client credentials at https://dev.fitbit.com/ and set their redirect URI.

 

Lastly, you could operate a service that allows people to register themselves with your service and set their final redirect URI. Then your app would be the redirect_uri for all of your users. Upon obtaining the access token and refresh token, your app would then redirect people to their specific destination.

Best Answer
0 Votes