help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

OAuth 2.0 beta is here!

Replies are disabled for this topic. Start a new one or visit our Help Center.

‎05-07-2015 09:52 - last edited on ‎03-29-2016 16:22 by Moderator Alum

‎05-07-2015 09:52 - last edited on ‎03-29-2016 16:22 by Moderator Alum

2015-10-12 UPDATE: OAuth 2.0 is now out of beta. Read more here.

 

Below is the original beta topic.

 

——————————

 

Today, we're excited to open access to the Fitbit OAuth 2.0 beta. All applications are now able to use OAuth 2.0 for user authorization. Documentation on using and upgrading to OAuth 2.0 is available here.

Very Important Note

During this beta period, Fitbit may need to make backwards incompatible changes with less than 30 days notice. Fitbit does NOT recommend using OAuth 2.0 in a production environment yet.

With your help testing, we hope to resolve any issues over the next few months. When we believe it is production ready, we will update this post.

How to report issues and get help

Please use the Fitbit Web API support forum. First, search to see if the issue has already been reported. If it hasn't been, create a new topic and use the "OAuth 2.0" label.

Please do not reply to this post unless you have a question or comment specific to this announcement so that others can more easily find answers.

Endpoint Updates

  • Heart Rate now available in daily and intraday time series (OAuth 2.0 required)
  • Get Activity TCX (OAuth 2.0 required)

 

Moderator edit: links

Best Answer
Labels:
54 REPLIES 54

‎05-07-2015 11:41 - edited ‎05-07-2015 11:42

‎05-07-2015 11:41 - edited ‎05-07-2015 11:42

Nice to see there's a way to exchange existing tokens!

 

What's the purpose of the "Basic" authorization headers? I guess there is an unwritten rule that every OAuth implementation must have at least one custom quirk 🙂

Eric Jain
Got data? Get answers at zenobase.com.
Best Answer

‎05-07-2015 11:54 - edited ‎05-07-2015 11:55

In response to ejain

‎05-07-2015 11:54 - edited ‎05-07-2015 11:55

@ejain wrote:

Nice to see there's a way to exchange existing tokens!

 

What's the purpose of the "Basic" authorization headers? I guess there is an unwritten rule that every OAuth implementation must have at least one custom quirk 🙂

"Basic" authorization headers are the official standard way to refresh tokens.

 

Our "custom quirk" piggybacks on the refresh token endpoint and hopefully helps significantly ease migration. 🙂

Best Answer
0 Votes

‎05-07-2015 12:27

In response to JeremiahFitbit

‎05-07-2015 12:27

Looks like this is indeed the recommended way to authenticate a client! Pardon my ignorance, this is the first time I see this in the wild (the alternate method of including the client credentials in the request body seems to be more commonly used).

Eric Jain
Got data? Get answers at zenobase.com.
Best Answer
0 Votes

‎05-14-2015 09:04

‎05-14-2015 09:04

It may be helpful to indicate that OAuth 2 authentication is in beta on the API wiki page. I didn't realize that it wasn't production-ready until spending all day yesterday implementing it in my app (only to find an issue and open the dev forum where I discovered OAuth 2 support had existed for only a few days).

Best Answer
0 Votes

‎05-14-2015 11:17

In response to bbowden

‎05-14-2015 11:17

@bbowden: I have updated the documentation.

Best Answer
0 Votes

‎05-15-2015 07:53 - edited ‎05-15-2015 07:54

In response to JeremiahFitbit

‎05-15-2015 07:53 - edited ‎05-15-2015 07:54

"Basic" should only be used in "Resource Owner Password Grant" https://tools.ietf.org/html/rfc6749#section-4.3  which contradicts the statement in your documentation "Fitbit currently supports the Authorization Code Grant flow."  To get the the Basic Authorization you need to have the Username and Password of the user.   Which an app would not have following the Authorization Code Grant flow.  The example in the spec illustrates a "Resource Owner Password Grant" refresh.

 

Best Answer
0 Votes

‎05-15-2015 09:56 - edited ‎05-15-2015 09:57

In response to natejgreene

‎05-15-2015 09:56 - edited ‎05-15-2015 09:57

@natejgreene wrote:

"Basic" should only be used in "Resource Owner Password Grant" https://tools.ietf.org/html/rfc6749#section-4.3  which contradicts the statement in your documentation "Fitbit currently supports the Authorization Code Grant flow."  To get the the Basic Authorization you need to have the Username and Password of the user.   Which an app would not have following the Authorization Code Grant flow.  The example in the spec illustrates a "Resource Owner Password Grant" refresh.

 

This is not true. "Basic" can be used in other flows too.

Please see 

https://tools.ietf.org/html/rfc6749#section-4.1.3

https://tools.ietf.org/html/rfc6749#section-4.4.2

 

 

 

Ivan Bahdanau
Senior Software Developer at Fitbit
Best Answer

‎05-15-2015 10:35

‎05-15-2015 10:35

Ah my mistake. It is being used for the client authentication and not user authentication and is the preferred way per the spec. This is the first service I have seen where that is required. Typically it is just passed in the request body/url over https i.e. Google. There are probably a few client libraries that do not support it.
Best Answer

‎05-29-2015 11:09

‎05-29-2015 11:09

We are trying to build a wellness solution using the Charge HR and the OAuth 2 API. Do you have any idea when this API will be out of beta?

Best Answer
0 Votes

‎05-29-2015 11:28

In response to sbarrier

‎05-29-2015 11:28

@sbarrier: I don't have an estimate at this time. The underlying technology is fairly stable now. Fitbit itself now is using OAuth 2.0 in three production services. However, there have been minor, customer impacting issues and we may still need to make backwards incompatible changes. Most of the remaining beta issues are experiential: a sign in screen that's not mobile friendly, OAuth 1.0a scopes being required, the visual design not yet perfect.

Best Answer
0 Votes

‎06-02-2015 13:04

In response to JeremiahFitbit

‎06-02-2015 13:04

Would you anticipate, not commit, that the beta process would take weeks and not months?

Best Answer
0 Votes

‎06-02-2015 13:23

In response to iatricjb

‎06-02-2015 13:23

@iatricjb wrote:

Would you anticipate, not commit, that the beta process would take weeks and not months?

I anticipate that it will be months, not weeks, before OAuth 2.0 transitions from beta to our recommended method. It's fairly stable now, but there are unknown unknowns and we may need to make backwards incompatible changes faster than our usual 30 day policy. We are still working on new features, UI improvements, and bug fixes.

 

Fitbit itself now is using OAuth 2.0 in three production services, but we've done so with the understanding that things may break or need to change quickly.

Best Answer
0 Votes

‎06-13-2015 04:16

‎06-13-2015 04:16

There is a mobile friendly login page for the OAuth 2.0?
Best Answer
0 Votes

‎06-14-2015 12:43

In response to freeubi_tep

‎06-14-2015 12:43

@freeubi_tep wrote:
There is a mobile friendly login page for the OAuth 2.0?

Not yet. It is a launch requirement, so it will be available at some point before the OAuth 2.0 beta period concludes.

Best Answer
0 Votes

‎06-17-2015 04:58 - edited ‎06-29-2015 00:37

In response to JeremiahFitbit

‎06-17-2015 04:58 - edited ‎06-29-2015 00:37

Can we use all old Oauth 1.0a scopes with Oauth 2.0?

Thanks!

Best Answer
0 Votes

‎06-30-2015 01:28

In response to JeremiahFitbit

‎06-30-2015 01:28

Thanks for your reply.

Actually i'm thinking of a temp solution:
Can I use the old OAuth 1.0a login system to get the credentials, then immediately exchange the tokens to OAuth 2.0? Then I can store them and use later.
This way I still have a mobile friendly page 🙂

Best Answer
0 Votes

‎06-30-2015 09:45

In response to freeubi

‎06-30-2015 09:45

@freeubi wrote:

Thanks for your reply.

Actually i'm thinking of a temp solution:
Can I use the old OAuth 1.0a login system to get the credentials, then immediately exchange the tokens to OAuth 2.0? Then I can store them and use later.
This way I still have a mobile friendly page 🙂

If you can wait a while longer, you won't have to jump through those hoops. We will definitely have all mobile friendly pages by the time OAuth 2.0 exits beta.

Best Answer
0 Votes

‎06-30-2015 09:46

In response to JorgeYago

‎06-30-2015 09:46

@JorgeYago wrote:

Can we use all old Oauth 1.0a scopes with Oauth 2.0?

Thanks!

Are you referring to when you exchange an OAuth 1.0 token for an OAuth 2.0 token, are the scopes preserved? The answer to that is yes.

Best Answer
0 Votes

‎06-30-2015 11:23

In response to SunsetRunner

‎06-30-2015 11:23

Are there any chances that it will be available in the next 2 weeks?

Best Answer
0 Votes