Cloudflare Managed Challenge blocks server-side OAuth 1.0 request_token
31 views
Skip to first unread message
Олег
May 8, 2026, 5:06:29 AM (3 days ago) May 8
to fatsecret Platform API
Hi,
Our server-side integration cannot complete the 3-legged OAuth 1.0 flow because https://www.fatsecret.com/oauth/request_token returns HTTP 403 with cf-mitigated: challenge (Cloudflare Managed Challenge), regardless of User-Agent.
Our server-side integration cannot complete the 3-legged OAuth 1.0 flow because https://www.fatsecret.com/oauth/request_token returns HTTP 403 with cf-mitigated: challenge (Cloudflare Managed Challenge), regardless of User-Agent.
- Server IP: 83.166.247.212 (already whitelisted in our app's API access list) - Endpoint: POST https://www.fatsecret.com/oauth/request_token
- Sample cf-ray: 9f866fe358bf4c8c-MAD - Response: 403 + JS-challenge HTML
- Sample cf-ray: 9f866fe358bf4c8c-MAD - Response: 403 + JS-challenge HTML
The platform API at platform.fatsecret.com works fine (not behind CF). Only the OAuth 1.0 endpoints on www.fatsecret.com are blocked.
Could you whitelist our server IP at the Cloudflare layer for /oauth/* endpoints, or recommend the supported server-side flow for connecting an existing FatSecret user account? OAuth 2.0 is client_credentials only and cannot access user-scoped endpoints.
seba...@fatsecret.com
May 8, 2026, 7:41:42 AM (3 days ago) May 8
to fatsecret Platform API
To better secure OAuth 2.0
we have implemented IP Restrictions, which 'white list' IP
Addresses for a given client Key/Secret.
We block requests to fatsecret API for a Key/Secret if the source IP is not white listed. Before releasing these IP ranges we allowed only 15 specific IP addresses, now we allow up to 15 ranges of IP addresses in your account under "Manage API Keys".
Example: 0.0.0.0/0 => is a range that allows any IPV4 (https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) which would be seemingly more appropriate for your use case described above
For Mobile apps we would recommend using an API proxy server to avoid Mobile Apps communicating directly with fatsecret APIs.
This proxy should be responsible for:
- Managing the validity / renewal of your OAuth 2.0 access tokens
- Forwarding any fatsecret related requests to fatsecret APIs
Please avoid having your client's credentials part of your Mobile App source code / configuration.
We block requests to fatsecret API for a Key/Secret if the source IP is not white listed. Before releasing these IP ranges we allowed only 15 specific IP addresses, now we allow up to 15 ranges of IP addresses in your account under "Manage API Keys".
Example: 0.0.0.0/0 => is a range that allows any IPV4 (https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) which would be seemingly more appropriate for your use case described above
For Mobile apps we would recommend using an API proxy server to avoid Mobile Apps communicating directly with fatsecret APIs.
This proxy should be responsible for:
- Managing the validity / renewal of your OAuth 2.0 access tokens
- Forwarding any fatsecret related requests to fatsecret APIs
Please avoid having your client's credentials part of your Mobile App source code / configuration.
Олег
May 8, 2026, 11:34:37 PM (2 days ago) May 8
to fatsecret-p...@googlegroups.com
Hi James,
Thanks for the response, but I think there's a misunderstanding —
the issue is not OAuth 2.0 IP restrictions.
The block is happening at the Cloudflare edge layer, BEFORE the
request ever reaches your API. Cloudflare returns HTTP 403 with
"cf-mitigated: challenge" and a JS challenge HTML page directly,
without forwarding the request to FatSecret's backend at all.
Your OAuth 2.0 IP whitelist (which I have already set wide open)
operates at a different layer — it cannot affect requests that
Cloudflare blocks upstream.
Two clarifications:
1. We're using OAuth 1.0 3-legged (request_token / authorize /
access_token), not OAuth 2.0. The OAuth 2.0 IP whitelist in
"Manage API Keys" does not apply to this flow.
2. Only www.fatsecret.com/oauth/* is behind Cloudflare and blocks
server-side clients. platform.fatsecret.com (the REST API) is
on AWS without Cloudflare and works fine — including from our
server with no special configuration.
Concrete repro from our server (any User-Agent, any TLS fingerprint,
including curl-impersonate-chrome):
$ curl -X POST https://www.fatsecret.com/oauth/request_token
HTTP/2 403
cf-mitigated: challenge
server: cloudflare
cf-ray: 9f86843b7c3ee5dc-HEL
This breaks server-side 3-legged OAuth 1.0 entirely, because
request_token must be obtained from the server (consumer_secret
cannot be exposed to the browser).
Could you either:
(a) whitelist our server IP 83.166.247.212 at the Cloudflare
layer for /oauth/* endpoints on www.fatsecret.com, or
(b) confirm the supported server-side flow for connecting an
existing FatSecret user account given that:
- OAuth 2.0 client_credentials cannot access user-scoped
endpoints (food_entries.get, weight.get_month),
- OAuth 1.0 request_token is unreachable from any server.
Forwarding to your platform/infrastructure team would help — this
is a Cloudflare configuration question, not an OAuth credentials
question.
Thanks,
Oleg
Thanks for the response, but I think there's a misunderstanding —
the issue is not OAuth 2.0 IP restrictions.
The block is happening at the Cloudflare edge layer, BEFORE the
request ever reaches your API. Cloudflare returns HTTP 403 with
"cf-mitigated: challenge" and a JS challenge HTML page directly,
without forwarding the request to FatSecret's backend at all.
Your OAuth 2.0 IP whitelist (which I have already set wide open)
operates at a different layer — it cannot affect requests that
Cloudflare blocks upstream.
Two clarifications:
1. We're using OAuth 1.0 3-legged (request_token / authorize /
access_token), not OAuth 2.0. The OAuth 2.0 IP whitelist in
"Manage API Keys" does not apply to this flow.
2. Only www.fatsecret.com/oauth/* is behind Cloudflare and blocks
server-side clients. platform.fatsecret.com (the REST API) is
on AWS without Cloudflare and works fine — including from our
server with no special configuration.
Concrete repro from our server (any User-Agent, any TLS fingerprint,
including curl-impersonate-chrome):
$ curl -X POST https://www.fatsecret.com/oauth/request_token
HTTP/2 403
cf-mitigated: challenge
server: cloudflare
cf-ray: 9f86843b7c3ee5dc-HEL
This breaks server-side 3-legged OAuth 1.0 entirely, because
request_token must be obtained from the server (consumer_secret
cannot be exposed to the browser).
Could you either:
(a) whitelist our server IP 83.166.247.212 at the Cloudflare
layer for /oauth/* endpoints on www.fatsecret.com, or
(b) confirm the supported server-side flow for connecting an
existing FatSecret user account given that:
- OAuth 2.0 client_credentials cannot access user-scoped
endpoints (food_entries.get, weight.get_month),
- OAuth 1.0 request_token is unreachable from any server.
Forwarding to your platform/infrastructure team would help — this
is a Cloudflare configuration question, not an OAuth credentials
question.
Note: per your IP restrictions tooling on our account tier
(single IPs only, CIDR requires Premier), our server IP
83.166.247.212 is already explicitly whitelisted. The 403 we
see is from Cloudflare upstream, not from your API IP filter.
(single IPs only, CIDR requires Premier), our server IP
83.166.247.212 is already explicitly whitelisted. The 403 we
see is from Cloudflare upstream, not from your API IP filter.
Thanks,
Oleg
пт, 8 мая 2026 г. в 14:41, 'seba...@fatsecret.com' via fatsecret Platform API <fatsecret-p...@googlegroups.com>:
--
You received this message because you are subscribed to the Google Groups "fatsecret Platform API" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fatsecret-platfor...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/fatsecret-platform-api/bdbe9c2c-dc98-4222-a79f-c70709fb5529n%40googlegroups.com.
Олег
May 8, 2026, 11:35:02 PM (2 days ago) May 8
to fatsecret Platform API
Reply all
Reply to author
Forward
0 new messages