core: Fitbit Callback-URL during OAuth-flow does not use https

Home Assistant release with the issue: 0.83.1

Last working Home Assistant release (if known): unknown

Operating environment (Hass.io/Docker/Windows/etc.): Hassio

Component/platform: sensor.fitbit

Description of problem: Even if the base_URL is set to include an explicit protocol (https in this case), the authorization-call to the Fitbit-API does not include said protocol. New fitbit apps are required to use https in the callback

Problem-relevant configuration.yaml entries and (fill out even if it seems unimportant):

http:
  # Secrets are defined in the file secrets.yaml
  api_password: !secret http_password
  # Uncomment this if you are using SSL/TLS, running in Docker container, etc.
  base_url: https://ha.pc-coholic.de
  ip_ban_enabled: true
  login_attempts_threshold: 1

sensor:
  - platform: fitbit
    clock_format: 24H
    unit_system: metric
    monitored_resources:
      - "body/weight"
      - "body/bmi"

Additional information: In the second step of the Fitbit Authorization, the user is asked to click a link like IP/api/fitbit. image

This link redirects to the Fitbit OAuth Authorization-screen.

However, if a https-URL is set as HomeAssistant’s base_url, the call fails, as the redirect_uri-parameter is not populated with the https from base_url. As a consequence, the call fails and HA cannot be authorized, as the non-HTTPS-URI is not in Fitbit’s list of acceptable callback-URI.

Quick Fix/Workaround: Manually append the missing s to redirect_uri.

Couldn’t necro https://github.com/home-assistant/home-assistant/issues/15236 so I copied his issue as mine is the same.

Changing the redirect url to include https in the fibit auth page does not work since HA stores the url locally as http. After changing the url https://www.fitbit.com/oauth2/authorize?response_type=code&client_id=XYZ&redirect_uri=https%3A%2F%2Fme.duckdns.org%2Fapi%2Ffitbit%2Fcallback&scope=activity+heartrate+weight&state=ABC to include https, I get a fitbit permission screen, but after saving I get a 500 from HASS

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Reactions: 5
  • Comments: 42

Most upvoted comments

I seem to be having this issue, or a similar one as well on 0.85.1. I’m running on Hassio and I have the Let’s Encrypt addon. My router is port-forwarding 443 to my Hassio RPi.

I’ve got my app set up with my domain name and https endpoint. The permissions screen on fitbit.com shows up correctly. When redirecting to hass, I get a 500 Error. The log mentions the stack trace below. Should I open a separate issue?

2019-01-20 18:35:30 ERROR (MainThread) [aiohttp.server] Error handling request
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/aiohttp/web_protocol.py", line 406, in start
    resp = await task
  File "/usr/local/lib/python3.6/site-packages/aiohttp/web_app.py", line 435, in _handle
    resp = await handler(request)
  File "/usr/local/lib/python3.6/site-packages/aiohttp/web_middlewares.py", line 120, in impl
    return await handler(request)
  File "/usr/local/lib/python3.6/site-packages/homeassistant/components/http/static.py", line 66, in staticresource_middleware
    return await handler(request)
  File "/usr/local/lib/python3.6/site-packages/homeassistant/components/http/real_ip.py", line 34, in real_ip_middleware
    return await handler(request)
  File "/usr/local/lib/python3.6/site-packages/homeassistant/components/http/ban.py", line 67, in ban_middleware
    return await handler(request)
  File "/usr/local/lib/python3.6/site-packages/homeassistant/components/http/auth.py", line 99, in auth_middleware
    return await handler(request)
  File "/usr/local/lib/python3.6/site-packages/homeassistant/components/http/view.py", line 115, in handle
    result = handler(request, **request.match_info)
  File "/usr/local/lib/python3.6/site-packages/homeassistant/components/sensor/fitbit.py", line 333, in get
    redirect_uri)
  File "/usr/local/lib/python3.6/site-packages/fitbit/api.py", line 146, in fetch_access_token
    code=code)
  File "/usr/local/lib/python3.6/site-packages/requests_oauthlib/oauth2_session.py", line 307, in fetch_token
    self._client.parse_request_body_response(r.text, scope=self.scope)
  File "/usr/local/lib/python3.6/site-packages/oauthlib/oauth2/rfc6749/clients/base.py", line 415, in parse_request_body_response
    self.token = parse_token_response(body, scope=scope)
  File "/usr/local/lib/python3.6/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 425, in parse_token_response
    validate_token_parameters(params)
  File "/usr/local/lib/python3.6/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 432, in validate_token_parameters
    raise_from_error(params.get('error'), params)
  File "/usr/local/lib/python3.6/site-packages/oauthlib/oauth2/rfc6749/errors.py", line 405, in raise_from_error
    raise cls(**kwargs)
oauthlib.oauth2.rfc6749.errors.InvalidClientError: (invalid_client)
+3
andreimarinescu on Jan 20, 2019

It looks like the Fitbit component is generating it’s own URL and sending that, rather than using the external_url which has been defined …

+2
wibbly on Jul 1, 2020

I couldn’t get it to work using the file @an-pham provided either. But it got me thinking with the requirements and the change to using manifest.json for components.

I’m running 0.93.1. Here is what I did:

I copy the files from https://github.com/home-assistant/home-assistant/tree/master/homeassistant/components/fitbit to /config/custom_components/fitbit

I modified manifest.json to include “requests-oauthlib==1.1.0” and “oauthlib==2.1.0” "requirements": [ "fitbit==0.3.0", "requests-oauthlib==1.1.0", "oauthlib==2.1.0" ],

I restarted Hass.io twice and fitbit callback worked, no 500 error.

+2
SPCulhane on May 22, 2019

I have the same exact problem. Is there a solution to it?

+2
p1ranha on Jan 28, 2019

I still have the same problem with fitbit. I get the error 500 server. I’m trying @SPCulhane trick now.

+1
chezpaul on Mar 21, 2020

Possible points you can debug, hope it helps:

  • I removed “fitbit==0.3.0” from reference
  • Take a look into: /config/home-assistant.log to make sure your custom_component is loaded (where the exception has thrown should be: /config/custom_components/fitbit/sensor.py)
  • Since now you have your own component, maybe you can debug to see exactly what happened

Here’s how I set up to debug: Added to #configuration.yaml

logger:
  default: info
  logs:
      custom_components.fitbit: debug

And in fitbit/sensor.py, use _LOGGER to debug

_LOGGER.info("fetch_access_token from data: %s", data.get('code'))
_LOGGER.info("redirect url: %s", redirect_uri)
+1
anphx on May 23, 2019

That’s an important note for anyone having issues, I’ve seen this reported on the python-fitbit repository as well. Welcome aboard to the working fitbit integrations @fgsalvador 😃

+1
andreimarinescu on Mar 28, 2019

I can confirm the workaround works on 0.86.3 on hassbian too. Thanks!

+1
MagieMalone on Feb 6, 2019

@andreimarinescu Thank you for the workaround. I can also confirmed it worked for me too

+1
SPCulhane on Feb 4, 2019

Hi @andreimarinescu, I had to recreate the app on Fitbit site and replace fitbit.conf to make it work (with your gist)

Thanks, that was very helpful!

+1
yahel2410 on Feb 4, 2019
Read more comments on GitHub
← core: Fitbit authorization always ends up with Server Code 500
core: Flu Near You has changed to Oubreaks Near Me (including a new API) →