The Hub is now in read-only mode as we make improvements to the Hub experience. More information is available here.
11-16-2023 05:31 PM
I'm working on a browser-based app using the Strava API that I hope to eventually make publicly available. Originally, I was planning on having all of the communication take place in Javascript in the user's browser. However, since the POST that exchanges the auth code for an access token requires the client secret, so far I have needed to hard-code my client secret in the browser-side JS.
This doesn't seem secure, but I'm not sure what the easiest method to secure it is. My first thought was to host a separate API to retrieve access tokens. Once the browser gets an auth code back from Strava, it sends it to the API, and the API talks to Strava to exchange the code for a token, and then sends the token back to the browser.
This seems a little convoluted, and even more so if I would need to implement TLS on my new API to secure that communication channel. Is there another recommended way to keep my client secret secure?
Solved! Go to Solution.
11-30-2023 02:38 AM
For applications running solely in the browser, the implicit flow is the way to go, but that's not supported by the Strava API AFAIK.
Please have a look at this SO thread about the same question: https://stackoverflow.com/questions/51324567/oauth2-how-to-authorize-without-client-secret
11-30-2023 02:38 AM
For applications running solely in the browser, the implicit flow is the way to go, but that's not supported by the Strava API AFAIK.
Please have a look at this SO thread about the same question: https://stackoverflow.com/questions/51324567/oauth2-how-to-authorize-without-client-secret
Welcome to the Community - here is your guide to help you get started!