Unsubscribe from notifications with expired Access...

sambheadup · ‎01-16-2024

Hi there,

There are multiple threads all asking the same question, some as old as 2016.

Is there any update on how to remove a subscription without a valid refresh token.

Even something in the admin portal would be better than nothing, even if there's nothing in the API.

Best regards,
Sam

Gordon-C · ‎01-22-2024

Hi @sambheadup

We don't have a complete solution for this problem yet, but we have implemented some functionality that can help you.

We have 2 subscription notifications that let you know if the user has revoked consent
- userRevokedAccess - when subscribed to this collection, your application will be notified when the user has revoked consent to sharing their data with your application. The access token and refresh token for this user will become invalid and we will automatically delete the subscription created for this user. See https://dev.fitbit.com/build/reference/web-api/developer-guide/using-subscriptions/#Notifications-of...
- deletedUser - We automatically create a subscription to this collection if your application has a subscriber already configured. Again, your application will be notified when the user has deleted their Fitbit account. The access token and refresh token for this user will become invalid and we will automatically delete the subscription created for this user. See https://dev.fitbit.com/build/reference/web-api/developer-guide/using-subscriptions/#Notification-of-...
If you know the user still intends to share their data with your application but the tokens are bad, you can have the user go back through the authorization flow again. This will create 2 new tokens for the user.

Best,

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google

sambheadup · ‎01-22-2024

Hi @Gordon-C,

Thanks for your response.

Unfortunately none of these really help us. We know many of our users have not logged in to our application for sometime, we're no longer interested in syncing their data or doing work based of their Fitbit activity. Unfortunately, we have some issues with our Refresh Token mechanism which we need to address, this means we now have many subscriptions which we don't have valid tokens for. so even if we wanted to pull as users data (or delete the subscription) we couldn't.

Any application that has similar issues will end up getting spammed and the only thing they can do is to delete the whole application which isn't ideal if it's still being used by others. This seems like it would be useful to Fitbit to fix, as I'm assuming there is a fair amount of work that your systems are doing that isn't necessary nor wanted by consuming applications?

Just a couple of ideas:
1. Could you pass a token with the Fitbit ping notification that could could be used to disconnect the subscription.
2. Add something in the Fitbit Portal to delete subscriptions by ID (preferably in bulk).

Best regards,
Sam

Gordon-C · ‎01-23-2024

Hi Sam,

Have you tried the Revoke Token endpoint? This will make the tokens you have invalid, delete the subscription and drop the user's consent to your application.

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google

sambheadup · ‎01-28-2024

Hi @Gordon-C ,

As I understand it the Revoke Token endpoint requires an access token or a refresh token that is NOT expired. Our tokens have expired so we are unable to use the Revoke Token endpoint. We require (and I believe many others do to) to remove subscriptions without a user access token. something in the Admin portal (for example) to remove a subscription by userId would be great.

This is really for scenarios where there has been an issue with the implementation of the refresh token mechanism and it is not longer valid, and Fitbit is still sending data for a user which is not longer using the client application.

Best regards,
Sam

Gordon-C · ‎01-31-2024

Hi @sambheadup

Refresh tokens do not expire however they can only be used once. What happens when you try to revoke the refresh token? For example,

POST https://api.fitbit.com/oauth2/revoke
Authorization: Basic <basic_token>
Content-Type: application/x-www-form-urlencoded

token=<refresh_token to be revoked>

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google

sambheadup · ‎12-29-2024

Hi Gordon,

Our issue is closely related to this one: https://community.fitbit.com/t5/Web-API-Development/Remove-subscriptions/td-p/5271805

The refresh tokens we have are no longer valid (because of some other issues) and now we have no way of unsubscribing the updates coming from Fitbit despite the fact we can see the relevant user hasn't used our app for a long time.

We really need some way - whether it would be through the portal or some api to unsubscribe users without the use of a refresh token which may or may not be valid.

Can I confirm that there still isn't any other way around this other than via a support request?

Best regards,
Sam

sambheadup · ‎12-29-2024

Hi @Gordon-C

I can see in this thread that you say there is some way around this now, but don't mention what that is?

https://community.fitbit.com/t5/Web-API-Development/Can-we-remove-subscriptions-on-OAuth-2-0-for-inv...

Many thanks,
Sam

Join us on the Community Forums!

Community Guidelines

Learn the Basics

Join the Community!

Not finding your answer on the Community Forums?

Go to the Help Site

Contact Support

Unsubscribe from notifications with expired Access Token

sambheadup

Gordon-C

sambheadup

Gordon-C

sambheadup

Gordon-C

sambheadup

sambheadup