For my system, my users have their own unique ID (participant_id) that I've provided them.
I have a flask server that registers my users with Fitbit.
@app.route('/fitbit_authorize')
def homepage(): #probably need to send participant_id here
return '<a href="%s">Authenticate with fitbit</a>' % FITBIT_AUTHORIZATION_URL
Fitbit sends a post request regarding the successfulness of my participant registration to the following where I get their user access/refresh tokens for oauth:
@app.route('/fitbit_callback')
def fitbit_callback():
error = request.args.get('error', '')
if error:
return "Error: " + error
state = request.args.get('state', '')
code = request.args.get('code')
token = fitbit_access.get_full_token(code)
I was wondering how can I retrieve the authorizer's original ID (participant_id) in the callback. Is there anyway for me to pass additional information in the fitbit authorization process or what would be the best way for me to retrieve their participant_id?
Good question.
Oauth2 allows for you to include state information in the authorization request---You can include the participant_id in the state parameter: https://dev.fitbit.com/build/reference/web-api/oauth2/
state: Provides any state that might be useful to your application when the user is redirected back to your application. This parameter will be added to the redirect URI exactly as your application specifies. Fitbit strongly recommend including an anti-forgery token in this parameter and confirming its value in the redirect to mitigate against cross-site request forgery (CSRF).
In addition to providing the participant_id, you should provide an anti-forgery token to help fight CSRF.