How come it's not available?

Maybe I'm missing something but in my case I have users triggering authentication w/ FitBit via a mobile application.  If the authentication is success (with the user allowing the profile scope) the callback then gets the user's access token.  That token then gets used to retreive the user's profile.  Without getting the Fitbit user's email, I need to associate an unique user attribute to the existing user on my system so I can update my user's access token.

Without something like an email, I'm left only using the Full Name field to make the association between Fitbit and my users table.

Is there a reason why the email isn't included with the user profile? Do you have any suggestions on what is best practice to associate a FitBit user w/ a user of a developer's system?

Thanks!
M

@reado The best way to uniquely identify each Fitbit user is through "encodedId", so you might want to consider adding encodedId association to your existing users if you don't want to continue using "fullName".

---

@reado wrote:

Maybe I'm missing something but in my case I have users triggering authentication w/ Fitbit via a mobile application.  If the authentication is success (with the user allowing the profile scope) the callback then gets the user's access token.  That token then gets used to retreive the user's profile.  Without getting the Fitbit user's email, I need to associate an unique user attribute to the existing user on my system so I can update my user's access token.

Without something like an email, I'm left only using the Full Name field to make the association between Fitbit and my users table.

---

As Andrew mentioned, the 'encodedId' is the Fitbit user id you can use for identifying a person's Fitbit identity.

As for associating a person's Fitbit account with their account in your app, your app should have the user authenticated before sending them into the Fitbit authorization flow. This is a much better strategy, as people often use different email addresses for different accounts.

Hey Andrew & Jeremiah.. thanks for replying!

The plan is to allow users to authenticate with Fitbit from a mobile application I've build.  My webserver will only act as an API

Here's the situation:
Within the mobile app users are able to login and authenticate with my server.  The authenticated user is then able to update their profile and to associate thier Fitbit account with the account on my system.

They click a button which opens a Chrome tab and opens up the fitbit authentication form.  The user authenticates and a callback is made to my webserver providing the user's access token.  The server then uses that token to retrieve the user's Fitbit profile.  Since that profile doesn't have an email and the encodedId is not known to my server before they authenticate, the only field I get back from the Fitbit user profile that I can reference is the FullName.

Unless I'm some how able to pass along a userid or email address when the user tries to authenticate within the mobile app, I'm not sure how I'm supposed to associate the token returned in the callback to my internal user who's only authenticated within the mobile app.

Other OAuth provides like Facebook, Github, Twitter, LinkedIn, etc, provide that email address and it is how i've seen this association done in the past.

I'm not really sure why the email address isn't included in the user profile response but I'm assuming its because of security or something.

If you guys have any suggestions for me, or if I'm some how misunderstanding the OAuth process flow from FitBit's prospective I'm open to suggestions!

Thanks!

---

@reado wrote:

Unless I'm some how able to pass along a userid or email address when the user tries to authenticate within the mobile app, I'm not sure how I'm supposed to associate the token returned in the callback to my internal user who's only authenticated within the mobile app.

---

You have a few options:

1. You could have your web app redirect to the Fitbit OAuth 2.0 authorization page and your web app could set a browser session to identify the person.

2. You could use the "state" parameter on the OAuth 2.0 authorization page to set whatever data you want to receive after with the OAuth information to your redirect URI. It's documented here. Keep in mind that if you use the Authorization Code Grant Flow flow you'll need to include the exact "state" value again in the Access Token Request.

ahhh the state parameter is what I was looking for.

I'm going to keep experimenting.  Thanks!