02-08-2019 04:10
02-08-2019 04:10
Our users experience a strange behavior whenever they try to authenticate their account to Fitibt.
Whenever we redirect them to
https://www.fitbit.com/oauth2/authorize?prompt=login&response_type=code&client_id=[client_id]&scope=[scope]&state=[state]&redirect_uri=[callback_url]
they are sometime presented with the old login page (which works)
https://www.fitbit.com/login?...
but some other times they are redirected to
https://accounts.fitbit.com/login?targetUrl=https%3A%2F%2Fwww.fitbit.com%2Flogin%2Ftransferpage%3Fredirect%3Dhttps%253A%252F%252Fwww.fitbit.com%252Foauth2%252Fauthorize%253F...
This seems to be a new behaivor from Fitbit side, since we have not change anything in the oauth2 flow.
Besides that I managed to reproduce the strange redirect using two different browsers, on the same PC.
1. On Chrome, if I access https://fitbit.com/login -> The browsers shows the old login page.
2. On Edge, it I access https://fitbit.com/login -> I am redirected to https://accounts.fitbit.com/login?targetUrl=https%3A%2F%2Fwww.fitbit.com%2Flogin%2Ftransferpage%3Fre...
I'm not sure if this is some cache/cookie issue, but clearing them up didn't help.
Is this new behavior documented somewhere?
Could you point us to a solution?
02-11-2019 05:40
02-11-2019 05:40
After some investigation we found:
https://www.fitbit.com/login
https://accounts.fitbit.com/login
Besides that if your state parameter contains an encoded URL (as was our case) it might not be correctly passed to accounts.fitbit.com when redirected, so after the user gives his consent and is redirected back to your app, the state that you will receive might be altered.
Our solution was to always Base64 encode the state parameter, that way it will keep it's value no matter which login page it is used.