help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

oauth2 400 bad request invalid_grant Authorization code challenge missing

‎12-01-2021 14:42

‎12-01-2021 14:42

Hello,

 

I am implementing oauth2 and getting a 400 bad request.

 

I have a Fitbit app registered with oauth 2.0 application type of server. The grant type is authorization_code. In the body of the request I am sending:

 

const body = {
grant_type: "authorization_code",
code: token,
client_id: clientID,
code_verifier: code_verifier,
code_challenge: code_challenge,
code_challenge_method: 'S256',
redirect_uri: callback,
};

 

Error I am receiving:

 

\"errorType\":\"invalid_grant\",\"message\":\"Authorization code challenge missing. Visit https://dev.fitbit.com/docs/oauth2

Best Answer
Labels:
0 Votes
3 REPLIES 3

‎12-02-2021 14:15

‎12-02-2021 14:15

Hi @johnhaigh 

 

It's not clear to me if you are calling the authorize or the oauth2 token endpoint.   The authorize endpoint should send the code challenge and the code challenge method.   See Authorize.   The oauth2 token endpoint should send the code verifier.  See OAuth2 Token.   In your example, you are providing all 3 which is incorrect.  Please double-check the syntax in your code.

 

Gordon

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
Best Answer
0 Votes

‎12-03-2021 06:25

In response to GordonFitbit

‎12-03-2021 06:25

Here is what I am doing specifically:

const body = {
grant_type: "authorization_code",
code: token,
client_id: clientID,
code_verifier: code_verifier,
code_challenge: code_challenge,
code_challenge_method: 'S256',
redirect_uri: callback,
};

const response = await Parse.Cloud.httpRequest({
method: "POST",
url: 'https://api.fitbit.com/oauth2/token',
headers: {
"Content-Type": "application/x-www-form-urlencoded",
Authorization: `Basic ${auth}`,
"Content-Length": data.length,
},
body: body,
}).catch((e) => {
throw e;
});
Best Answer
0 Votes

‎12-03-2021 09:50

In response to johnhaigh

‎12-03-2021 09:50

Thank you, @johnhaigh .   When calling the /oauth2/token endpoint, you're only support to send the code verifier.   See OAuth2 Token.  The reason for the error is sending the parameter "code_challenge" and "code_challenge_method".   Instead, those 2 parameters should be sent when using the Authorize endpoint.

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
Best Answer