Skip to main content

Hi all,

Pretty new to all this and hit a road block: I don't understand how I authorize other users via Oauth and get their access and refresh tokens.

I've done that step for myself using 'https://developers.strava.com/docs/getting-started/' Which had me to go to settings/api and manually copy my client ID and client secret. How does this process work for other users? This is likely a lack of knowledge on my part on webhooks or environment variables or something, and if this is the case, please just throw out the right words and I'll google them.

So far where I'm at: my code is hosted on a server and I can fetch my own activities from Strava API. I understand that I'll need to redirect users to 'https://www.strava.com/oauth/authorize', but I don't know how to do that and pass along their client id and client secret if I don't (and shouldn't) have that info. 

Thanks,
Talisman

Try this page and see if it helps - https://developers.strava.com/docs/authentication/

In short, your client ID and secret are what identify your app. The authorize URL is the same for everyone using your app, it contains your client ID and the scopes you are requesting (steps 1 & 2 in the flowchart). The person authorizing your app will see the screen asking for permissions with an authorize button. Remember they are logged in to their Strava account and the authorize URL is hosted by Strava, so it knows who they are.

Once the user clicks the authorize button (step 3), Strava will send your server a code (to the redirect_uri you provided in the authorize URL) which you exchange for a token using your client secret (on the page you linked, this is steps 9-11). You will get back 2 tokens - an auth_token and a refresh_token. The auth token will allow you to perform API calls on behalf of that user until it expires. At that point you either need to have them authorize again, or use the refresh token to get a new auth token.


Thank you, I was able to make it one step further thanks to your help. For anyone in my shoes who might be struggling, this is how I was able to get the code from the Strava Oauth2, using Javascript.

window.location.href = window.location.href = "https://www.strava.com/oauth/authorize?client_id=YOUR_CLIENT_ID&redirect_uri=YOURWEBSITE/&response_type=code&scope=activity:read_all";

Note: it's bad practice to directly input your client ID, I'm still trying to figure out the right way. Something to do with server environment variables. 

Anyways, this redicrects the user to the authenticator, hopefully they accept, then the authenticator service returns to your website and now the needed code is in the URL. To access this, you can use 
const qs = new URLSearchParams(window.location.search);
authCode=qs.get('code');

And now you'll have all the information needed to do a fetch post request to Strava for the auth_token and refresh_token. Of course, I am stuck on some CORS issue, but that's a different issue. 

Thank you again for your help.


Reply