Here's the story:

1. We have a 12-week weight loss challenge with a website (on a Passenger/Rails/PostgreSQL stack) that includes workouts and meal plans, and statistics like daily steps and calories burnt
2. Users can use a tracker device (Fitbit or others) to record their steps, and we then pull that data from the provider to update our records and keep the steps in sync between their device and our app
3. Until now we were using oauth 1 for fitbit, and it was working fine
4. Now we need to update to oauth 2, we've selected the fitbit omniauth strategy for this and it works fine until we get the callback from the Fitbit server. It hits our server correctly, but then we get redirected to an error message saying "invalid_credentials"
5. The return call from Fitbit includes state and code parameters
6. I've checked the client_id and client_secret, and made sure my app is configured correctly, but nothing I do seems to help

Has anyone tried a similar approach and managed to get it working?