Hey everbody out there 👋

We have developed native apps for Android and iOS that implement the Fitbit SDK to read the users activity/training and body weight data. This was 2 years ago and so far everything was working perfectly.

Since a few weeks we are having trouble in our Android app with the OAuth flow. Here is an example flow:

1. Inside the app the user clicks on a "Connect Fitbit" button
2. A WebView opens up for the OAuth and permission flow (https://www.fitbit.com/oauth2/authorize)
3. The user sets the required permission and accepts
4. The user is redirected to the app where the OAuth flow begins
5. Access is granted. Fitbit data is imported into our app and shown there

This is the normal and expected case. So far we were able to repeat this as often as we wanted (or the user wanted). When connected to Fitbit our app shows a "Disconnect Fitbit" button the undo the binding and remove all Fitbit related data from our app. When disconnecting and repeating the connection flow like described above we get an error from the Fitbit API with the following reason:

{
   "errors":[
      {
         "errorType":"invalid_grant",
         "message":"Authorization code invalid: dedcacdd0db45cbfab8a00d124059de84d4ed2eb Visit https://dev.fitbit.com/docs/oauth2 for more information on the Fitbit Web API authorization process."
      }
   ],
   "success":false
}

Okay! So we've got a problem here. The docs are - unfortunately - not very helpful ad led to no solution. So we played around and tried different ways and to kind-of-debug the problem. And after some (not very scientific) research we've found a solution to the problem:

1. Do step 1 & 2 like described above. We will be automatically logged into our account as we have already visited the website before
2. Logout and login again
3. Go on from step 3 like described above

Now we are having success *yay*!!! So this seems to be a workaround for our users. And it also seems like we are not doing anything wrong there. We have not changed this flow during the last 12 month and it just stopped working a few month ago.

Let's have a look into the blackbox and behind the scenes:

1. When connecting with Fitbit we will firstly generate a randomVerifier and a derivedVerifier. For example:

randomVerifier: xbdWGHY_sUUka111yAvVu3ObIMrZ8pXOOb5hNoTL1o2Ec4r1LHRqC0RAiS_0GhNh2p9XfvAtryyD-Z-pLG0nog
derivedVerifier: 6Z-sktf2D01IWu_2VTIvSe1RQCVV2CV_Wtu7qGzB4SM​

• Now we will open up a WebView (Chrome Custom tabs) with the following URL:

https://www.fitbit.com/oauth2/authorize?
	client_id=<secret_id>&
	response_type=code&
	scope=weight activity&
	prompt=consent&
	code_challenge=6Z-sktf2D01IWu_2VTIvSe1RQCVV2CV_Wtu7qGzB4SM&
	code_challenge_method=S256&
	redirect_uri=<host>://oauth/fitbit

• Now the flow described above is done by the user. After that the website will redirect to the given uri directly into our app. For example:

<host>://oauth/fitbit?code=dedcacdd0db45cbfab8a00d124059de84d4ed2eb#_=_​

• Now we will parse out the code to request an access token from the Fitbit API. Therefore we are building the following url:

https://api.fitbit.com/oauth2/token?
	client_id=<secret_id>&
	grant_type=authorization_code&
	code=dedcacdd0db45cbfab8a00d124059de84d4ed2eb&
	redirect_uri=<host>://oauth/fitbit​

• Now we will get a response with a http code 400 and the error message mentioned at the beginning of this post. It says we are using an 

invalid_grant​

We are not having any idea what might be wrong here. It works on the first connect and always after logging out and in again. It also works again after waiting an undefined amount of time. Sometimes it just works again after 24 hours and sometimes it takes up to 3 days. Also this error is only facing the Android platform. iOS is still working like always before...

Is anyone out there facing the same issue? Does anyone knows a solution or has a hint on what we have to do?