Generic OAuth (Fitbit) - 403 Error?

Hi, after setting everything up on Docker Compose, all the pre-installed nodes work fine (e.g. was able to connect and use the Spotify API through OAuth) but hit a wall when trying to do the OAuth dance with Fitbit through the HTTP request node.

I couldn’t get the authentication to work correctly. I can get Fitbit to redirect correctly to /rest/oauth2-credential/callback but I end up with a 500 page with the following: {"code":0,"message":"HTTP status 403","hint":""}

I have tried manually exchanging for the access/refresh tokens by plucking the tokens from the redirect url and it works fine through Postman. Their OAuth flow is pretty close to spec so nothing too surprising that I can tell.

From my verbose debug logs, I see that even when im getting a 500 error, the credential seems to be getting saved:

2022-09-16T06:26:39.544Z | verbose  | Credential updated "{ credentialId: '8', file: 'credentials.api.js' }"
2022-09-16T06:26:39.611Z | verbose  | OAuth2 authentication successful for new credential "{\n  userId: 'someUserId',\n  credentialId: '8',\n  file: 'oauth2Credential.api.js'\n}"

Running the HTTP request node ended up with a rejection too, the UI wasn’t happy with the credentials in the database (verbose logs indicate {\n error: {\n context: {},\n name: 'NodeApiError',\n cause: {\n status: 'rejected',\n reason: Error: OAuth credentials not connected!\n at Object.requestOAuth2 (/usr/local/lib/node_modules/n8n/node_modules/n8n-core/dist/src/NodeExecuteFunctions.js:647:15)\n } so I guess I can’t brute force and skip over trying to connect).

Information on your n8n setup

  • n8n version: 0.194.0
  • Database you’re using (default: SQLite): Default SQLite
  • Running n8n with the execution process [own(default), main]: own
  • Running n8n via [Docker, npm,, desktop app]: Docker compose (n8n-digital-ocean)

Hi @snowypowers, welcome to the community!

The HTTP status 403 suggests Fitbit rejects the connection request. Can you confirm how exactly you have configured your OAuth2 credentials? From looking at OAuth2 Token it seems the token come through in the body rather than the header (which is the default option used by n8n), so this would be the first field I’d double-check.


I believe the Header option is correct. This option should be setting the Basic <base64-encoded-clientId:clientSecret>. Just to be safe, I did attempt to connect with both options and both returned the same 403 error.

I cannot get a 403 error manually through Postman so im a little confused.

Hi @snowypowers, it seems you are right.

I just created a Fitbit account and registered a new application with these settings (and an OAuth 2.0 Application Type value of Server):

In n8n I then used these settings in my credentials:

I could then connect n8n as expected without ending up on an error page:

Perhaps you could give the exact settings I have used above a go (apart from your own client ID and secret, of course)?