help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Web API OAuthenticationFlow

‎03-31-2021 10:13

‎03-31-2021 10:13

Hello All,

 

I'm in need of some help handling the callback from the Web API after user authentication.

 

After the user authenticates, they receive an error stating that the developer has not provided correct redirect uri parameters.  I can assure you these are correct as i'm able to execute the complete process manually.  

 

I've also found that Fitbit diverts from specification for OAuth2Flow by:

https://dev.fitbit.com/build/reference/web-api/oauth2/

 

***According to the OAuth 2.0 RFC, if the redirect uri is valid, the user is redirected to the app redirect uri, and any errors are appended to the URI as a query string. However, this behavior could be used in a phishing attack. Therefore, Fitbit’s OAuth 2.0 implementation diverges from the spec in that the user will remain on https://www.fitbit.com/oauth2/authorize, and any errors will be displayed on the page. An error description URI parameter may also be provided to help diagnose the issue.

**

 

Does anyone know how to work around this?  All need to do is figure out how to obtain that code so I can complete the required post for token. 

 

Thank you for any help.

 

Steve

 

I'm working in c++.

 

Best Answer
0 Votes
1 REPLY 1

‎04-13-2021 14:25

‎04-13-2021 14:25

Hi @kumar_S,

 

Welcome to the forums!

 

Can you provide me with your redirect_uri? Just because you are able to complete the process on your end doesn't necessarily mean an external user will be able to. For example, if you chose localhost (http://localhost) as your redirect URI, you'll be able to complete the authorization flow since you are connecting to your local network. However, if an external user attempted to authorize, the authorization would fail because localhost is not publicly accessible. 

 

Your redirect URI would need to be publicly accessible in order for the authorization flow to complete. 

Best Answer
0 Votes