Strava API Authorization Bug

Scott Robertson

unread,

Jan 11, 2014, 6:23:36 PM1/11/14

to strav...@googlegroups.com

Hi everyone,

I emailed devel...@strava.com regarding this, but I thought I would try my chances here as well:

Basically, Strava will always request for a user to authorizate an app if the "scope" is "write".

For example, if I am logged in to Strava, and then go to the following URL:

"https://www.strava.com/oauth/authorize?client_id=9&redirect_uri=http://google.com&response_type=code"

It will go straight to "http://google.com" with the code, since I have already authorized this app for my account.

However, if I attempt to navigate to the same URL, but with the "scope" set to "write":

"https://www.strava.com/oauth/authorize?client_id=9&redirect_uri=http://google.com&response_type=code&scope=write"

Then I am asked to authorize this app every single time, even if I have authorized it previously.

Obviously, I do not want to have to ask users to authorize my app every time they want to use it, it should really remember their previous setting.

Any ideas?

Thanks everyone,

Scott

Paul Mach

unread,

Jan 11, 2014, 7:24:27 PM1/11/14

to Scott Robertson, strav...@googlegroups.com

Hi Scott,

Maybe I'm misunderstanding you, but I'm having trouble duplicating what you're saying. Here are the links from an old website I used to test this. Ignore the website, just see if the auth works. I'll have to setup a test app somewhere to make this kind of thing easier in the future.

Ask and authorize "public" permission (no force):

https://www.strava.com/oauth/authorize?client_id=5&response_type=code&redirect_uri=http://x.raceshape.com/token_exchange.php

Ask and authorize "write" permission (no force);

https://www.strava.com/oauth/authorize?client_id=5&response_type=code&redirect_uri=http://x.raceshape.com/token_exchange.php&scope=write

Both of these should ask for permission the first time, and just redirect you the second time (if you authorize, of course). Note that the app has to complete the exchange for permission to be logged as granted.

Am I understanding correctly?

Dr. Paul Mach

STRAVA

--
You received this message because you are subscribed to the Google Groups "Strava API" group.
To unsubscribe from this group and stop receiving emails from it, send an email to strava-api+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Scott Robertson

unread,

Jan 11, 2014, 10:27:17 PM1/11/14

to strav...@googlegroups.com

Hi Paul,

For some reason, your example is working perfectly. But when I try and do the same for my app, I am asked for authorization every time if I set scope to write.

The exact URL for my application is:

https://www.strava.com/oauth/authorize?client_id=585&redirect_uri=http://google.com&response_type=code&scope=write

Are you able to login to strava using a test account and try for yourself?

If you are hesitant to authorise my app, the same problem happens if you try and use the example URL provided from the api doco:

https://www.strava.com/oauth/authorize?client_id=9&response_type=code&redirect_uri=http://localhost/token_exchange&scope=write

Any reason you can think of why yours work but these two always ask for authorisation?

Thanks for your help!

Paul Mach

unread,

Jan 12, 2014, 1:32:07 AM1/12/14

to Scott Robertson, strav...@googlegroups.com

The app must complete the token exchange (http://strava.github.io/api/v3/oauth/#post-token) before the permission fully granted.

Dr. Paul Mach

STRAVA

Scott Robertson

unread,

Jan 12, 2014, 4:09:18 AM1/12/14

to strav...@googlegroups.com

Oh. Of course. Thank you so much for your help everyone! I have authorisation working, now onto the upload api

Reply all

Reply to author

Forward