Skip to main content

The Strava OAuth approval page doesn't confirm which athlete is being prompted to authorize an app. This is problematic for at least 2 scenarios:

  1. Multiple Strava athletes share the same device => one athlete could mistakenly provide API access to another (logged-in) Strava account. This scenario leads to obvious data privacy issues.
  2. An athlete has multiple Strava accounts => it is not clear to the athlete which Strava account is being used for the API connection. Again, potential privacy issues due to the wrong data being authorized to the 3rd party app.

One simple fix could be to show the profile picture and first name of the logged in Strava account on the OAuth page.

In the applications I've built, I create that confirmation myself. So the steps of tha authorization is 

  1. "Connect with Strava"-button in my application
  2. Authentication and authorization on the OAuth page
  3. "Confirm account" page in my application, saying something like 
    "Is this you?" and displaying the profile picture and the authenticated user's name
  4. If it is the correct account, go on with whatever you want to do, storing access tokens etc. 
    If it isn't, redirect the user to step 1 and remind them of logging out from their Strava account in the current browser. 

This strategy has worked really well. I hope it helps, even though you still have to do some of the work you think Strava should do for you 😊

That's a really good idea actually, I wished I'd thought of that back then! (other priorities now...)

Reply


Terms & ConditionsCookie settings