This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Community Hub Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Preventing unwanted users to auth to my app

SzymonWo
Shkhara

‎04-03-2023 11:07 AM

I would like to prevent unwanted users to auth to my application.
1. Is there a way I could POST some headers/data during authorization to "https://www.strava.com/oauth/authorize" like client_id?
2. The use case is that I don't want users to share auth link like: "https://www.strava.com/oauth/authorize?client_id=99999&redirect_uri=https://mysecretwebpage.org&resp...
3. I just want the users to be possible to auth to my app when clicking a link from my webpage. This would act as a protection from copy&pasting the link.

Thanks.

0 Kudos
3 REPLIES 3

SzymonWo
Shkhara

‎04-12-2023 03:25 AM

Hi. @ibooij 

What I'm trying to is prevent strangers from trying to use my application. I want them to be able only to authorize my app to Strava if they use the link provided by me. But I see that the `https://www.strava.com/oauth/authorize` only accepts the GET parameters - including state. The state is not a perfect solution, but at least it will limit the possibility of copy&pasting the link to a person that should not be my user. 

Thanks for reply.

0 Kudos

ibooij
Pico de Orizaba
In response to SzymonWo

‎04-13-2023 10:36 AM

In my opinion, you need to guard access to your app yourself. This is not Strava's task. You should then only let users that already have access to your app authorize your app to use their Strava data.

User's that authorize your app to use their Strava data are giving you permission, not the other way around.

ibooij
Pico de Orizaba

‎04-04-2023 07:34 AM

What exactly are you trying to prevent?

If you want to make sure that only users of your application can use the link, then you should add a state parameter, which can contain, for instance, a random token that you generate within your application.

When Strava redirects to your redirect URI after the user has given permission, this state parameter is added again, so you can match the user that gave permission to your internal user. After this has happened, you invalidate the token in your application. You can do the same when no redirect has taken place within X minutes (15 minutes seems good value). Of course, this does not prevent any users from sharing the URL, but by doing that, they would only give other users permission to link their (those other users) Strava profile to the original users account in your application.

Ready, Get Set, Go!

Welcome to the Community - here is your guide to help you get started!


Know how to use Community


Understand Community Settings

Copyright © 2024 Khoros, LLC