help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Invalid or expired Token returns Status Code 400 (Bad Request)

ANSWERED

‎11-09-2015 08:22

‎11-09-2015 08:22

Fitbit team,  we are getting wrong status codes when Refreshing an invalid or expired token. It seems that CloudFare es changing the Status Code to a 400 (Bad Request) instead of a 401 (Unauthorized).

 

Please, review extensively and rapidly why CloudFare is changing the response status codes.

 

Here is the response we are getting:

ContentType: application/json;charset=UTF-8

Content

{"errors":[{"errorType":"invalid_grant","message":"Refresh token invalid or expired: XXXYYYYY. Visit https://dev.fitbit.com/docs/oauth2 for more information on the Fitbit Web API authorization process."}],"success":false}

ResponseUri: https://api.fitbit.com/oauth2/token 

Status Code: 400

Server: cloudflare-nginx

 

 

 

Best Answer
Labels:
0 Votes
1 BEST ANSWER

Accepted Solutions

‎11-09-2015 10:57 - edited ‎11-09-2015 10:59

In response to FedericoArg

‎11-09-2015 10:57 - edited ‎11-09-2015 10:59

Thanks, we will get that updated.


Edit: Sorry I didn't read that closely the first time. You are referring to expired refresh tokens but that specific part of the documentation is referring to expired access tokens.

View best answer in original post

Best Answer
0 Votes
10 REPLIES 10

‎11-09-2015 10:42

‎11-09-2015 10:42

HTTP 400 is expected for that response.

According to the spec at https://tools.ietf.org/html/rfc6749#section-5.2

The authorization server responds with an HTTP 400 (Bad Request)
   status code (unless specified otherwise) and includes the following
   parameters with the response:

.....

invalid_grant
               The provided authorization grant (e.g., authorization
               code, resource owner credentials) or refresh token is
               invalid, expired, revoked, does not match the redirection
               URI used in the authorization request, or was issued to
               another client.
Best Answer
0 Votes

‎11-09-2015 10:57

In response to SunsetRunner

‎11-09-2015 10:57

Doesn't seem that Fitbit documentation is correctly reflecting this:

 

https://dev.fitbit.com/docs/oauth2/#refreshing-tokens

 


Refreshing Tokens
An access token intentionally is short lived. This is an important security mechanism of OAuth 2.0. When using the Authorization Code Grant flow, the access tokens have a one-hour lifetime.
When an access token expires, an HTTP 401 error will be returned:
{
"errors": [
{
"errorType": "oauth",
"fieldName": "access_token",
"message": "Access token invalid or expired: eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE0MzAzNDM3MzUsInNjb3BlcyI6Indwcm8gd2xvYyB3bnV0IHdzbGUgd3NldCB3aHIgd3dlaSB3YWN0IHdzb2MiLCJzdWIiOiJBQkNERUYiLCJhdWQiOiJJSktMTU4iLCJpc3MiOiJGaXRiaXQiLCJ0eXAiOiJhY2Nlc3NfdG9rZW4iLCJpYXQiOjE0MzAzNDAxMzV9.z0VHrIEzjsBnjiNMBey6wtu26yHTnSWz_qlqoEpUlpc"
}
]
}
 

Best Answer
0 Votes

‎11-09-2015 10:57 - edited ‎11-09-2015 10:59

In response to FedericoArg

‎11-09-2015 10:57 - edited ‎11-09-2015 10:59

Thanks, we will get that updated.


Edit: Sorry I didn't read that closely the first time. You are referring to expired refresh tokens but that specific part of the documentation is referring to expired access tokens.

Best Answer
0 Votes

‎11-09-2015 11:03

In response to SunsetRunner

‎11-09-2015 11:03

 

Understood. Thanks for bringing that to my attention.

 

Thanks!

Best Answer
0 Votes

‎11-10-2015 20:45

‎11-10-2015 20:45

So for those of us who are getting the error 400 while setting up fit bit hr what's the fix?
Best Answer
0 Votes

‎11-13-2015 10:55

In response to Rob1666

‎11-13-2015 10:55

@Rob1666: What is the content of the error response? HTTP status codes only describe the general type of error.

Best Answer
0 Votes

‎11-20-2015 05:37

In response to JeremiahFitbit

‎11-20-2015 05:37

Hi,

 

I am getting error while refreshing the access token :

status code = 400

and error contents are:

{"errors":[{"errorType":"invalid_grant","message":"Refresh token invalid or expired: f2ef6470b7e9ac09797bb1c7c85754aba08676e39ffcfeb95fad78b4ef434a21. Visit https://dev.fitbit.com/docs/oauth2 for more information on the Fitbit Web API authorization process."}],"success":false}

 

 

Scenario:

I am storing timestamp when i store access token and refresh token in DB.

Before doing any FitBit API call, i check that timestamp, and if it is less than current timestamp by 1 hour(as fitbit doc says access token expires in 1 hour), i am hitting refresh token URI and getting above mention error.

So i am unable to refresh the access token.

 

Can you please help me with this.

Thanks.

 

 

Best Answer
0 Votes

‎11-20-2015 10:34

In response to shek123

‎11-20-2015 10:34

This error means that the refresh token is not valid or has already been used. Do you have any concurrent requests for refresh tokens?

Best Answer
0 Votes

‎11-20-2015 11:07

In response to shek123

‎11-20-2015 11:07

@shek123 wrote:

Hi,

 

I am getting error while refreshing the access token :

status code = 400

and error contents are:

{"errors":[{"errorType":"invalid_grant","message":"Refresh token invalid or expired: f2ef6470b7e9ac09797bb1c7c85754aba08676e39ffcfeb95fad78b4ef434a21. Visit https://dev.fitbit.com/docs/oauth2 for more information on the Fitbit Web API authorization process."}],"success":false}

 

 

Scenario:

I am storing timestamp when i store access token and refresh token in DB.

Before doing any FitBit API call, i check that timestamp, and if it is less than current timestamp by 1 hour(as fitbit doc says access token expires in 1 hour), i am hitting refresh token URI and getting above mention error.

So i am unable to refresh the access token.

 

Can you please help me with this.

Thanks.

 

 

I got your PM with your app credentials and I looked at our access logs and you attempted to use that refresh token multiple times.

 

timestamp request
2015-11-20T06:30:27.631-08:00 POST /oauth2/token?grant_type=refresh_token&refresh_token=f2ef6470b7e9ac09797bb1c7c85754aba08676e39ffcfeb95fad78b4ef434a21 HTTP/1.1
2015-11-20T06:01:18.762-08:00 POST /oauth2/token?grant_type=refresh_token&refresh_token=f2ef6470b7e9ac09797bb1c7c85754aba08676e39ffcfeb95fad78b4ef434a21 HTTP/1.1
2015-11-20T05:56:11.586-08:00 POST /oauth2/token?grant_type=refresh_token&refresh_token=f2ef6470b7e9ac09797bb1c7c85754aba08676e39ffcfeb95fad78b4ef434a21 HTTP/1.1
2015-11-20T05:42:17.523-08:00 POST /oauth2/token?grant_type=refresh_token&refresh_token=f2ef6470b7e9ac09797bb1c7c85754aba08676e39ffcfeb95fad78b4ef434a21 HTTP/1.1
2015-11-20T05:27:07.664-08:00 POST /oauth2/token?grant_type=refresh_token&refresh_token=f2ef6470b7e9ac09797bb1c7c85754aba08676e39ffcfeb95fad78b4ef434a21 HTTP/1.1
2015-11-20T05:24:11.967-08:00 POST /oauth2/token?grant_type=refresh_token&refresh_token=f2ef6470b7e9ac09797bb1c7c85754aba08676e39ffcfeb95fad78b4ef434a21 HTTP/1.1
2015-11-20T05:16:38.389-08:00 POST /oauth2/token?grant_type=refresh_token&refresh_token=f2ef6470b7e9ac09797bb1c7c85754aba08676e39ffcfeb95fad78b4ef434a21 HTTP/1.1
2015-11-20T05:07:08.913-08:00 POST /oauth2/token?grant_type=refresh_token&refresh_token=f2ef6470b7e9ac09797bb1c7c85754aba08676e39ffcfeb95fad78b4ef434a21 HTTP/1.1
2015-11-20T05:01:28.307-08:00 POST /oauth2/token?grant_type=refresh_token&refresh_token=f2ef6470b7e9ac09797bb1c7c85754aba08676e39ffcfeb95fad78b4ef434a21 HTTP/1.1
2015-11-20T04:59:43.154-08:00 POST /oauth2/token?grant_type=refresh_token&refresh_token=f2ef6470b7e9ac09797bb1c7c85754aba08676e39ffcfeb95fad78b4ef434a21 HTTP/1.1

 

You need to make sure that your application only ever tries to use a refresh token once and that you don't have parallel workers trying to refresh the same token simultaenously (ie with some kind of locking). 

Best Answer

‎11-25-2015 00:47

In response to SunsetRunner

‎11-25-2015 00:47

Spoiler

Thanks,

I found problem on my side.
Now, I got it.

Best Answer
0 Votes