help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

refresh token invalid when using 2 or more devices

ANSWERED

‎04-11-2016 16:48

‎04-11-2016 16:48

Hi

 

This is the scenario. A user uses 2 or more mobile devices to get data from Fitbit server. User authenticates and the refresh token is stored locally on the phone. User does the same for another mobile device using the same Fitbit credentials (same account). After a couple of hours the user syncs the data on one device and needs to get a new access token. The app uses the stored refresh token to get the access token. However I get now the error message "Refresh token invalid:....." 

 

This is logical since the other app used a different refresh_token which is stored on the Fitbit server.

 

So the question is whether it is possible to renew the access token on different devices WITHOUT the user to explicitly have to login/grant permission?

 

Thanks Peter

Best Answer
Labels:
0 Votes
1 BEST ANSWER

Accepted Solutions

‎04-11-2016 21:33

‎04-11-2016 21:33

A mobile app is considered a "public client" in OAuth 2.0 terminology, because it is code that executes on a computer that you (as the app developer) don't control. This means that your app cannot keep your OAuth 2.0 client secret truly a secret. Use of the Authorization Code Flow and Refresh Token Flow requires your client secret, so these flows are not available to them.

 

Your options are to use the Implicit Grant Flow, which is designed for public clients, or to use the Authorization Code Flow with a web server app and have the Android app securely retrieve the current access token from your web server app.

View best answer in original post

Best Answer
0 Votes
1 REPLY 1

‎04-11-2016 21:33

‎04-11-2016 21:33

A mobile app is considered a "public client" in OAuth 2.0 terminology, because it is code that executes on a computer that you (as the app developer) don't control. This means that your app cannot keep your OAuth 2.0 client secret truly a secret. Use of the Authorization Code Flow and Refresh Token Flow requires your client secret, so these flows are not available to them.

 

Your options are to use the Implicit Grant Flow, which is designed for public clients, or to use the Authorization Code Flow with a web server app and have the Android app securely retrieve the current access token from your web server app.

Best Answer
0 Votes