oAuth2.0 - Fitbit does not return auth code (attributes cannot be empty error)

Question

Ive been struggling with implementing the Authorization Code Grant flow for the Fitbit API. Ive set up the WebSecurityConfigurerAdapter, and I get correctly redirected to the Fitbit /oauth2/authorize page, where I can give permission. However, when I allow my application access, it says the following: authorization_request_not_found. Also, the url does not include a code. I cannot really find good documentation on how to implement the next step using Spring Boot. It would be greatly appreciated if anyone could point me in the right direction. Thanks Stack:

Answer 1

The problem is in access token request. Following authorization code grant flow you need to set authorization header to basic. Your client_id and secret concatenated with a colon and encoded to Base64 will be your basic authorization header value.

You can find more info in official docs: Access Token Request

Implementing this in spring security is quite simple. Just follow this tutorial: Custom Token Request

Convert method of CustomRequestEntityConverter class should look like this one below:

@Override
public RequestEntity<?> convert(OAuth2AuthorizationCodeGrantRequest req) {
    RequestEntity<?> entity = defaultConverter.convert(req);
    MultiValueMap<String, String> headers = entity.getHeaders();

    String authorization = Base64.getEncoder().encodeToString(BASIC_AUTHORIZATION.getBytes());

    HttpHeaders httpHeaders = new HttpHeaders();

    httpHeaders.setBasicAuth(authorization);
    httpHeaders.addAll(headers);

    return new RequestEntity<>(entity.getBody(), httpHeaders, entity.getMethod(), entity.getUrl());
}