401 Unauthorized when using the generic OAuth Middleware with ASP.NET 5

Question

I am trying to hook up a website that I am building to FitBit using ASP.NET 5 (rc1-final), Identity and the MS.AspNet.Authentication.OAuth middleware. I am intending to use the Authorization Grant Flow for OAuth 2.0. I have the app set up (details below) on FitBit, and my Startup.cs looks like:

app.UseIdentity();

app.UseOAuthAuthentication(options =>
    {
        options.AuthenticationScheme = "FitBit-AccessToken";
        options.AuthorizationEndpoint = "https://www.fitbit.com/oauth2/authorize";
        options.TokenEndpoint = "https://api.fitbit.com/oauth2/token";
        options.SaveTokensAsClaims = true;
        options.CallbackPath = new PathString("/signing-fitbit-token/");
        options.ClientId = "[MY ID STRIPPED OUT]";
        options.ClientSecret = "[MY SECRET STRIPPED OUT]";
        options.DisplayName = "FitBit";
        options.Scope.Add("activity");
        options.Scope.Add("heartrate");
        options.Scope.Add("location");
        options.Scope.Add("nutrition");
        options.Scope.Add("profile");
        options.Scope.Add("settings");
        options.Scope.Add("sleep");
        options.Scope.Add("social");
        options.Scope.Add("weight");
        options.AutomaticAuthenticate = true;
    });

When I click the login button, I am directed to the authorization page on FitBit, but when I click Authorize, I am greeted with the ASP.NET dev error page:

An unhandeled exception occurred while processing the request.
HttpRequestException: Response status code does not indicate success: 401 (Unauthorized)
     System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()

I did read here that with some OAuth endpoints (namely Yahoo) they don't like localhost. So, I tried it both with localhost, and modifying my hostfile to a different domain. I have ensured that the redirect url that I am passing in is what is registered for the app at FitBit.

This error is coming from my website, and is getting through to the point where its exchanging the code for the access token. I have fiddler open I'm a bit lost as to where to go from here. I am running on http (since this is local dev and I don't have an ssl cert yet), but I wasn't entirely sure if that mattered.

score 2 · Answer 1 · answered Jan 06 '16 at 00:27

By default, the OAuth2 generic middleware sends the client credentials by flowing them in the request form (encoded using application/x-www-form-urlencoded).

Sadly, Fitbit only supports basic authentication: since the credentials are not flowed in the Authorization header, Fitbit treats your token request as unauthenticated and rejects it.

Luckily, this is something the dedicated Fitbit social provider (internally based on the OAuth2 generic middleware) will handle for you: https://www.nuget.org/packages/AspNet.Security.OAuth.Fitbit/1.0.0-alpha3

app.UseFitbitAuthentication(options => {
    options.ClientId = "230H9";
    options.ClientSecret = "ae7ff202cg5z42d85a3041fdc43c9c0b2";
});

That's it! Thank you! – Justin Blakley Jan 06 '16 at 00:59 — Justin Blakley, Jan 06 '16 at 00:59

score 1 · Answer 2 · answered Jan 05 '16 at 23:20

1

Something is going wrong with the OAuth request to FitBit, you need to debug that request and see why you got a 401 back from FitBit.

answered Jan 05 '16 at 23:20

Hao Kung

28,040
6
84
93

It's worth mentioning that RC2 will make HTTP errors easier to debug ;) – Kévin Chalet Jan 06 '16 at 01:03

401 Unauthorized when using the generic OAuth Middleware with ASP.NET 5

2 Answers2