Skip to main content

I'm working on a browser-based app using the Strava API that I hope to eventually make publicly available. Originally, I was planning on having all of the communication take place in Javascript in the user's browser. However, since the POST that exchanges the auth code for an access token requires the client secret, so far I have needed to hard-code my client secret in the browser-side JS.

This doesn't seem secure, but I'm not sure what the easiest method to secure it is. My first thought was to host a separate API to retrieve access tokens. Once the browser gets an auth code back from Strava, it sends it to the API, and the API talks to Strava to exchange the code for a token, and then sends the token back to the browser.

This seems a little convoluted, and even more so if I would need to implement TLS on my new API to secure that communication channel. Is there another recommended way to keep my client secret secure?

For applications running solely in the browser, the implicit flow is the way to go, but that's not supported by the Strava API AFAIK.

Please have a look at this SO thread about the same question: https://stackoverflow.com/questions/51324567/oauth2-how-to-authorize-without-client-secret


Reply