2 Oauth authorization in Python
722 views
Skip to first unread message
Bavo Denys
Apr 18, 2020, 9:19:47 AM4/18/20
to Strava API
Hi
I recently started exploring the Strava API in Python. I wrote a Python function for the user authentication (see code below). After the user grants access the user is redirected to a webpage that looks like this "https://www.example.com/?state=&code=2e13479f9b02c63770723f2c88328858977ecfb9&scope=read,activity:read_all" (I have set the redirect url to "https://www.example.com in the Strava api settings). The user copies the code and access is granted. I'm not planning to make a webapplication, I'm planning to make a small computer application to share with my friends. But I want to automate the part of manually copying the "code". Who can help me with this? Which Python libraries should I have a closer look at? Thanks!!
#Strava authentication process
def strava_authentication(self):
param = {
'client_id': self.client_id,
'redirect_uri': self.redirect_uri,
'approval_prompt': 'auto',
'response_type': 'code',
'scope': 'activity:read_all'
}
# Make authentication url
url = "https://www.strava.com/oauth/authorize?" + urlencode(param)
# Open webbrowser
webbrowser.get().open(url)
# User needs to approve access and copy code
#Example of code: 'd4ffc7c2c190d1b8db88037a5d25a2b63ece2ae8'
code = str(input('Input the code here: '))
payload = {
'client_id': self.client_id,
'client_secret': self.client_secret,
'code': code,
'grant_type': 'authorization_code'
}
# Request for a new more "permanent" access token
self.access_token = requests.post("https://www.strava.com/oauth/token", params = payload).json()['access_token']
Brad King
Apr 27, 2020, 3:57:51 PM4/27/20
to Strava API
I'm keeping tabs on this thread because I had a python script for my own personal use and since they went to oauth I haven't updated it because I'm having the same issue. I'd like to run my python script every evening unattended.
Nick Steel
Apr 27, 2020, 4:26:28 PM4/27/20
to Strava API
Providing you run it once attended, and take that opportunity to store the two tokens and expiry time (in a file or whatever), you can then run it every night afterwards completely unattended. Only the initial authorization requires user input. And if you don't want to spend time writing any code to handle that initial oauth, use stravalib which provides everything you need to just use the API.
Nick
Brad King
Apr 27, 2020, 4:53:21 PM4/27/20
to Strava API
Thanks for the great info Nick.
Daniel D.
Apr 27, 2020, 6:44:01 PM4/27/20
to Brad King, Strava API
Note that you'll have to store the new token as a result of the execution. I am doing this in Travis CI, https://github.com/dblock/run.dblock.org/blob/gh-pages/_lib/strava.rb
I think the Strava developer UI should just let you create a long lived personal access token with any given scope that can be revoked from the same UI, which is what Github API allows for non-interactive apps. Storing that token would be more secure than having to store a client ID and secret.
The migration for OAuth apps made total sense, but for applications that don't require interaction this is both annoying, and less secure for two reasons.
1) The application now needs to store a client ID and secret at runtime in order to obtain a refreshed access token. Before it only stored a single long lived access token.
2) The developer is forced to store the refresh token in potentially less secure ways and is now required to store an updated refresh token at “runtime” after obtaining an access token.
1) The application now needs to store a client ID and secret at runtime in order to obtain a refreshed access token. Before it only stored a single long lived access token.
2) The developer is forced to store the refresh token in potentially less secure ways and is now required to store an updated refresh token at “runtime” after obtaining an access token.
I think the Strava developer UI should just let you create a long lived personal access token with any given scope that can be revoked from the same UI, which is what Github API allows for non-interactive apps. Storing that token would be more secure than having to store a client ID and secret.
--
You received this message because you are subscribed to the Google Groups "Strava API" group.
To unsubscribe from this group and stop receiving emails from it, send an email to strava-api+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/strava-api/711b894d-e52e-4990-9106-bb76bcb83d53%40googlegroups.com.
Victoria Jackson
Jun 1, 2020, 9:33:45 AM6/1/20
to Strava API
I've been using the authlib library (https://docs.authlib.org/en/stable/) to authenticate with Strava. You could look into this. Admittedly, I've been using it in the context of a Flask based application.
There is a function called refresh_token in the OAuth2Session class that can help you refresh a previous token. The below code snippet shows this function in use to refresh a previously received token that has expired. This is working for me as I'm subsequently able to call the APIs with this token in order to get the data I require.
from authlib.integrations.requests_client import OAuth2Session
my_token = {'refresh_token': strava_athlete.refresh_token,
'access_token': strava_athlete.access_token,
'expires_at': strava_athlete.access_token_expires_at,
'expires_in': strava_athlete.access_token_expires_in}
print("existing token", my_token)
oauth_session = OAuth2Session(flask.current_app.config['STRAVA_CLIENT_ID'],
flask.current_app.config['STRAVA_CLIENT_SECRET'],
authorization_endpoint=flask.current_app.config['STRAVA_CLIENT_DOMAIN'] + '/oauth/authorize',
token_endpoint=flask.current_app.config['STRAVA_CLIENT_DOMAIN'] + '/oauth/token',
token=my_token,
grant_type='refresh_token')
new_token = oauth_session.refresh_token(
url = flask.current_app.config['STRAVA_CLIENT_DOMAIN'] + '/oauth/token',
client_id=flask.current_app.config['STRAVA_CLIENT_ID'],
client_secret=flask.current_app.config['STRAVA_CLIENT_SECRET'])Bavo Denys
Jun 14, 2020, 3:02:56 AM6/14/20
to Strava API
Thanks Victoria!! I'm using a Flask based application as well now and it works!
Victoria Jackson
Jun 15, 2020, 12:47:34 PM6/15/20
to Strava API
Glad to hear it. When I get a mo, I will put up an example Flask app on Github to show this works. I've got the basics of:
- initial authentication with Strava where a user approves access to the app
- submitting an activity including refreshing the token where necessary
- registering the strava hooks and callback function
Python, Flask and the OAuth library makes this pretty easy.
zaurelzo
Oct 3, 2021, 1:11:09 PM10/3/21
to Strava API
Hi Everyone,
Can someone please provide a working code of the initial authentication with Strava. I have a custom python script that I use to upload my bike activities to strava and I am tired of manually retrieving the initial token.
Thank you for your help.
Christian Matthees
Nov 9, 2021, 8:45:10 AM11/9/21
to Strava API
Hi Victoria,
did you already put up an example Flask app on Github?
Best,
Christian
Reply all
Reply to author
Forward
0 new messages