@RoxanaF Good catch, yes March 30th. 

@AndrewFitbit - is this fix still planned for today? 

@JeremiahFitbit @AndrewFitbit While I sincerely appreciate the quick response, unfortunately the workaround seems to have broken something else. Now instead of an endless loop, I get the following error

The app you're trying to connect did not provide valid information to Fitbit. Please report this issue to them.

Developer information: invalid_request - Invalid redirect_uri parameter value

This is the URL I see my my browser windows. The redirectURL parameter seems to be missing

https://www.fitbit.com/login?redirect=%2Foauth2%2Fauthorize%3Fclient_id%3DMY_CLIENT_ID%26redirect_ur...

I moved the prompt=login parameter to another place. Changed prompt to consent. Omitted the parameter completly. No luck.

Thanks

@AppDev: What as your OAuth 2.0 Authorization Page URI before and after your change?

@JeremiahFitbit My authorization page has not changed. Up until Tuesday when we first ran into endless auth loop. I dont have a copy of that URL from that time.

This morning, following your post, I tried using my app again and instead of the endless loop, I now get the Auth URL not set error.

@JeremiahFitbit @AndrewFitbit Ok, I think I figured out what the issue was and I got my app working. I believe you guys fixed "something" and that exposed the prompt=login issue. That "something" I believe is the change to the query string parameters. The redirect_uri used to be redirect_url I have checked my source code histroy and at no time did I have redirect_uri My app was always had it (probably incorrectly) as redirect_url This has worked until it was fixed. Now since this morning I was unable to get my app working. That is until after I changed redirect_url to redirect_uri

I also noticed that the help documentation has been updated. you can now pass prompt=login consent (note the 2 parameters). I dont think this existed until this morning.

The changes are good and in the right direction.

Guys from Fitbit just repond with a 🙂 if my theory is correct.

Hi AppDev - yep, can confirm.  I had the same issue, was using "redirect_url" instead of "redirect_uri". I was not thrilled to find out about the issue from my users though!

Jeremiah, if you see this: I had reworked & tested my app on OAuth 2.0 way before the deadline and found everything to be working so I shipped an update to Production that later broke.  While I take responsibility for the incorrect parameter name, please relay back to the team that once you have a feature "baked" and out there in the wild, you can't randomly introduce changes like this one b/c this is what happens.  I suspect other customers will be affected.  Consider sending an email, not just a dev forum post so that folks actually see it.  Thanks!

Again, Fitbit never permitted redirect_url. If redirect_uri was not present, the behavior was to use the value in your app settings if only one redirect_uri was specified. We added validation that redirect_uri is specified when using prompt, which is documented as a requirement for using prompt.

I'm sorry that a change we made resulted in a production issue for your app. We cannot anticipate every possible incorrect implementation by apps. We announce changes here in the forum and stick those posts to the top of the forum. We reserve email announcements for breaking changes.

@JeremiahFitbit I am glad I was able to relove my issue by changing the redirect_url to redirect_uri but like @Matt said, I was using redirect_url and it had worked. I checked our source history and only recently did the "incorrect" implementation break. It is possible that I had misread i as l but it had worked is all I can say.  

@Matt thanks for taking time to post your experience and confirming that I am not crazy. 😉

@AppDev you're welcome!  It was an unfortunate issue for both sides but I'm grateful for Jeremiah's quick responses and happy to move on.