For example, to get the access token, they require a basic authorization in header of the request and the value is the Base64 encoded string of the concatenation of your client id and secret separated by a colon (clientId:clientSecret). This is a bit redundant, IMO, as in the body parameters, you already need to send your client Id.
When I first found out that they use OAuth2.0, I could not wait to try scribe-java as it is a great library for OAuth2.0 client. However, as Fitbit’s one does not really follow exactly the standard, so it’s a bit of hacky to use scribe-java.
Nevertheless, it’s still quite simple to get the job done (thanks to the excellent work of scribe-java). I have made a simple demo in my Github’s repository. You can just copy two classes: FitbitApi20 and Fitbit20ServiceImpl and then the setup will be super smooth to do:
final OAuth20Service service = new ServiceBuilder() .apiKey(clientId) .apiSecret(clientSecret) .scope("activity%20profile") // replace with desired scope .callback("http://example.com") //your callback URL to store and handle the authorization code sent by Fitbit .state("some_params") .build(FitbitApi20.instance());
Quite easy, isnt?