Having other athletes authenticate your app to get more information on their activities

Question

I found this conversation here where a man named John said that he was able to bypass the limitations of the getClubActivitiesById endpoint by having people authenticate his app, allowing him full access to their activity details at the level they authorize.
Is there any validity to this, or do you guys have any ideas as to what this would look like? I don't think that them authenticating your app would give you more access to their activities through the getClubActivitiesById endpoint, given there's a response data limitation there to such few fields. Theoretically, how would I get the extra details? Would I have to use the "List Athlete Activities" endpoint, but that endpoint doesn't have any extra parameters for the request URL?
In an attempt to do this myself, I sent them a link like this:
https://www.strava.com/oauth/authorize?client_id=<myClientId>&response_type=code&redirect_uri=http://localhost/exchange_token&approval_prompt=force&scope=activity:read_all
When they logged in with this link, they were able to authenticate my app by clicking on "Authorize." I then tried testing with the Swagger playground on the endpoint https://developers.strava.com/playground/#/Activities/getActivityById but it failed to retrieve their activities. I also tried the endpoint https://developers.strava.com/playground/#/Athletes/getLoggedInAthlete but of course this just returned my information.
Does the link they use need to have a client ID of their own? I ask because the link I sent them to authenticate my app was my client ID, but I thought that the client ID is associated with my application and thus is needed.

ActivityFix · Accepted Answer

The club endpoints in the Strava API are severely lacking in the information provided since there isn't a unique identifier for the athlete or activity. Unless it is a very small club where every athlete has a unique name you're going to have a difficult or impossible time correlating the data from getClubActivitiesById to any specific athlete. The suggestion made by John in the post you linked is taking a completely different approach and generally ignoring any of the club-specific endpoints. Instead, by having each athlete authorize the app you can get a list of their recent activities (getLoggedInAthleteActivities) and clubs (getLoggedInAthleteClubs) and build your dataset from that information. How you do this will depend on your specific application -- ideally you would use webhooks and process each activity as it comes in, as this would be the most efficient use of your API limits. Alternatively you could periodically call getLoggedInAthleteActivities for each athlete to get their recent activities, ignoring those you have already processed.

To your second question on authenticating athletes, the final part of the oauth flow provides a token and refresh token for the athlete (see https://developers.strava.com/docs/authentication/#tokenexchange). To my knowledge the Swagger playground on Strava will only work for you since the authorize button is authorizing using your logged in account. If you want to get information for another athlete you would need to use their token so you'd need to write your own code to access the API using and pass their token along. There are Strava libraries for most languages so you could use one of those, or another good option for experimenting is to use postman.

reesmonty · Answer

Thank you so much for the reply! This has helped a lot. After playing around and using one of my friends as a guinea pig, I was able to get his activities in my Google App Script (thanks to Postman). The next challenge is using his refresh token to retrieve his constantly-changing (every 6 hours) access token in the script! Let's see how this goes.

Reply

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded