Force fitbit OAuth setup to use external url

[3v1n0]

Proposed change

In order to be linked with fitbit account we need to use HA external
url, while current implementation might cause internal uri usage which
of course won't work for OAuth challenge

Type of change

• Dependency upgrade
• Bugfix (non-breaking change which fixes an issue)
• New integration (thank you!)
• New feature (which adds functionality to an existing integration)
• Breaking change (fix/feature causing existing functionality to break)
• Code quality improvements to existing code or addition of tests

Additional information

• This PR fixes or closes issue: fixes #
• This PR is related to issue:
• Link to documentation pull request:

Checklist

• The code change is tested and works locally.
• Local tests pass. Your PR cannot be merged unless tests pass
• There is no commented out code in this PR.
• I have followed the development checklist
• The code has been formatted using Black (black --fast homeassistant tests)
• Tests have been added to verify that the new code works.

If user exposed functionality or configuration variables are added/changed:

• Documentation added/updated for www.home-assistant.io

If the code communicates with devices, web services, or third-party tools:

• The manifest file has all fields filled out correctly.
  Updated and included derived files by running: python3 -m script.hassfest.
• New or updated dependencies have been added to requirements_all.txt.
  Updated by running python3 -m script.gen_requirements_all.
• Untested files have been added to .coveragerc.

The integration reached or maintains the following Integration Quality Scale:

• No score or internal
• 🥈 Silver
• 🥇 Gold
• 🏆 Platinum

To help with the load of incoming pull requests:

• I have reviewed two other open pull requests in this repository.

[frenck]

This is incorrect. OAuth specification does not require an external URL. Furthermore, because of NAT loopback issues, not everybody can use an external URL, to begin with. Hence, doing that causes different issues.

IP based URLs, Non-SSL & SSL based URLs and internal and external URLs are all valid to use for OAuth authentication.

The current stable version actually looks at the current URL you are using in your browser (and must have been configured in your instance). The dev version diverts a bit.

[3v1n0]

Well, on redirect/callback URL it must be external, no? How the service can access to that otherwise?

[frenck]

The service does not access that. With OAuth the applications do not talk directly to each other. Your browser does that via redirects. Hence, it doesn't have to be public (as long as your browser can access it).

[frenck]

What actually needs to happen, is that this integration needs to be migrated onto a config flow using the OAuth2 helpers, which will actually automatically start using the actual URL the client has in their browser (as of the next Home Assistant release).

[3v1n0]

I see, well using latest stable without this I was just getting my local IP address that was rejected by fitbit as wrong redirect URL, so that's the only way to get it working

[frenck]

wrong redirect URL

That means the redirect URL in the application you have registered @ FitBit, is not matching. This is a configuration error. Not a bug.

[MartinHjelmare]

I'll close here now. Still, thanks for your contribution!

We'd love to see a PR to migrate this integration to use a config flow and config entries.

https://developers.home-assistant.io/docs/config_entries_config_flow_handler#configuration-via-oauth2