I’m trying to learn OAuth2 and webhooks by getting data from my Fitbit account. From experimenting with Postman, I’ve found that the following authentication link works:
My initial post was a screenshot that results from just pasting the fitbit.com/oauth2/… URL into a browser. One thing I’ve since noticed is that even though that says Failed to complete the authorization process, that window’s address bar has a valid code and state, which I can use in Postman/Curl/Python to get sleep data.
If I try to use a webhook, I get this error instead:
Since Foundry/outbound applications will handle the login and token calls for you, you don’t have to define a webhook for it.
Instead, directly define the API call/webhook to receive the actual data. The token from the outbound application is automatically set (visible in your screenshots)
does Fitbit support grant_type authorization_code? I see that you defined grant_type refresh_token, I assume that was for testing the refresh?
I’ve created a new webhook (below), and I’m still getting the same error. I get past the second screenshot below, and then I get the error. Also, from reading documentation, it appears that Fitbit supports OAuth 2 with and without PKCE. How does it know which method Palantir is trying? My wild guess (not an OAuth 2 expert) is that Palantir is using OAuth 2 without PKCE and Fitbit is currently expecting OAuth 2 with PKCE.
What would you recommend next to troubleshoot this?
At this point I would recommend sharing a new error id with Palantir support to look at the backend logs. From what I can see your configuration looks good.
From my experience Foundry will start the flow with PKCE.
@nicornk I submitted the issue ticket and also took a screen recording. Could you please check if I’m missing anything obvious? I’m surprised that it works when I test locally with Python with Palantir’s redirect link (see video), but fails in Foundry.
Unfortunately Outbound Applications currently do not support PKCE for Oauth2 flows. It is something that we’re aware of and keeping on our radar. Is this a requirement form the FitBit API side?
This is not a requirement from the Fitbit side, but when I still run into the same issue. I’ll post an updated video showing the python working locally without PKCE after the weekend.
Update: Fitbit does not require PKCE, and the link to the video shows Fitbit working without PKCE. @uzaheer Is there anything I can do to fix the webhook in the previous video? If not, would you recommend setting authentication to none and then manually configuring the authorization webhooks?
Is it possible to re-run the broken webhook and provide a new error-instance-id. I can check through our internal logs to figure out what might be happening here.
In the mean time yeah I think testing locally as you are is a good idea. The reason you might be getting a missing state error is because the authorization URL requires a different value for the state parameter. The state query parameter should be the base64 encoded string of your Outbound Application RID.
Thanks for looking into it, here’s a new error id: 339d69dd-c8d9-4062-a261-508a6f771ccb
I’ll try your suggestion about the state parameter next time.
Could this have anything to do with the issue? Fitbit docs say to remove “#_=_” during authentication, and I don’t see a way to do so. Link (skip to Step 3 - Retrieving the Authorization Code): https://dev.fitbit.com/build/reference/web-api/developer-guide/authorization/
From the logs I am seeing, Oauth2 server did not return a successful response. It returned 401. Which leads me to believe that the issue is exactly as you mentioned. On the backend we don’t have any special logic for code ending delimiters especially #_=_ and as such when our server goes to fetch the token using the authorization code provided by FitBit we end up getting 401 since we aren’t actually providing a valid token.
In short we actually don’t support this behavior and will likely need to make updates to our backend to start supporting it. Is using this special delimiter a standard found in any Oauth2 Open Standards (RFCs)?
Hi @uzaheer, according to Grok, it isn’t in the RFCs; however, when I test the same authentication with Postman, the desired result is returned. Please see this in my new screen recording here: Postman OAuth2
Also, I took another look at the local Python code, and it doesn’t necessarily have special logic for the “#_=_”. The relevant snippet (AI-generated) is pasted below.
What would you recommend for getting Fitbit data into Foundry? Please advise.
# Parse the user input to extract the code and check the state
from urllib.parse import urlparse, parse_qs
parsed_url = urlparse(user_input)
query_params = parse_qs(parsed_url.query)
code = query_params['code'][0]
Hi @uzaheer, is there a way to do OAuth2 manually? I think I can generate the authorization url that sends users to the authentication page, use post webhooks to get the tokens, and track tokens in a dataset, but I don’t know how to get the OAuth2 pop-up nor how to get the code and state params after the user is successfully authenticated and redirected.
Can you please share the full request (or at least the headers) that Palantir is sending to Fitbit in the POST request to https://api.fitbit.com/oauth2/token? (Is that the request that gets the 401 response?)
