I would like to prevent unwanted users to auth to my application.
1. Is there a way I could POST some headers/data during authorization to "https://www.strava.com/oauth/authorize" like client_id?
2. The use case is that I don't want users to share auth link like: "https://www.strava.com/oauth/authorize?client_id=99999&redirect_uri=https://mysecretwebpage.org&response_type=code&scope=activity:read_all"
3. I just want the users to be possible to auth to my app when clicking a link from my webpage. This would act as a protection from copy&pasting the link.
Thanks.
What exactly are you trying to prevent?
If you want to make sure that only users of your application can use the link, then you should add a state parameter, which can contain, for instance, a random token that you generate within your application.
When Strava redirects to your redirect URI after the user has given permission, this state parameter is added again, so you can match the user that gave permission to your internal user. After this has happened, you invalidate the token in your application. You can do the same when no redirect has taken place within X minutes (15 minutes seems good value). Of course, this does not prevent any users from sharing the URL, but by doing that, they would only give other users permission to link their (those other users) Strava profile to the original users account in your application.
Hi. @ibooij
What I'm trying to is prevent strangers from trying to use my application. I want them to be able only to authorize my app to Strava if they use the link provided by me. But I see that the `https://www.strava.com/oauth/authorize` only accepts the GET parameters - including state. The state is not a perfect solution, but at least it will limit the possibility of copy&pasting the link to a person that should not be my user.
Thanks for reply.
In my opinion, you need to guard access to your app yourself. This is not Strava's task. You should then only let users that already have access to your app authorize your app to use their Strava data.
User's that authorize your app to use their Strava data are giving you permission, not the other way around.
Reply
Login to the community
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.