Preventing unwanted users to auth to my app

What exactly are you trying to prevent?

If you want to make sure that only users of your application can use the link, then you should add a state parameter, which can contain, for instance, a random token that you generate within your application.

When Strava redirects to your redirect URI after the user has given permission, this state parameter is added again, so you can match the user that gave permission to your internal user. After this has happened, you invalidate the token in your application. You can do the same when no redirect has taken place within X minutes (15 minutes seems good value). Of course, this does not prevent any users from sharing the URL, but by doing that, they would only give other users permission to link their (those other users) Strava profile to the original users account in your application.

Hi. @ibooij 

What I'm trying to is prevent strangers from trying to use my application. I want them to be able only to authorize my app to Strava if they use the link provided by me. But I see that the `https://www.strava.com/oauth/authorize` only accepts the GET parameters - including state. The state is not a perfect solution, but at least it will limit the possibility of copy&pasting the link to a person that should not be my user. 

Thanks for reply.

In my opinion, you need to guard access to your app yourself. This is not Strava's task. You should then only let users that already have access to your app authorize your app to use their Strava data.

User's that authorize your app to use their Strava data are giving you permission, not the other way around.