Xamarin MAui and WebAuthenticator

[Eric Hourant]

In Xamarin.Maui, I’m trying to access Strava with oAuth2.

The procedure is to request an access code and then exchange this code for a token. This token is used for retreiving all the data needed from my Strava account.

To get the access code, I’m using the WebAuthenticator :

string cUrl = "https://www.strava.com/api/v3/oauth/authorize";

var authURL = new Uri(

                cUrl +

                "?client_id=" + clientId +

                "&redirect_uri=" + new Uri("myredirect_URI ") +

                "&response_type=code" +

                "&approval_prompt=auto" +

                "&scope=read,read_all,profile:read_all,activity:read_all");

var callbackUrl = new Uri("my_callback_url ");

WebAuthenticatorResult r = await Microsoft.Maui.Essentials.WebAuthenticator.AuthenticateAsync(authURL, callbackUrl);

 

It’s quite easy and I receive the proper access code. Then I exchange it for a token and everything runs smoothly.

 

The first time this code is run, the browser opens Strava’s website and asks my user name and password to login to my strava account (this is the normal procedure). Then the control is given back to my app with the requested access code.

 

The problem is when I run the same code a second time, the browser doesn’t open anymore on Strava’s web site for login. But the control is given back to my app with a proper access code.

To get back my Strava login screen, I have to uninstall my app on my mobile and reinstall and run it again.

 

With the « old » Xamarin (pre-Maui), I have been succesfully using OAuth2Authenticator.

Does anybody have an idea about this problem ?

TIA

Eric

[Ben Coomes]

Yes, this is the expected behavior for the 'auto' value of 'approval_prompt'. If you want to display the authorization page every time, even when already authorized, then set it to 'force'. 

https://developers.strava.com/docs/authentication/#details-about-requesting-access

[Eric Hourant]

Hello Ben,

Thanks for your answer but I do not think it’s the solution.

AFAIK, there are two phases in the identification process. The first phase is the login process (authenticate) that gives access to the user data in Strava. The other phase is the authorization access that gives the right to the app to connect to Strava.

In summary : the login is related to the user and the authorization to the app.

The user must give a login and a password to acces its data.

The app must give a client_id (it’s the app id given by Strava), an approval_code, … to be authorized by Strava. This authorization is « forever » (at least until a deauthorize).

With approval_code=force, the authorization is asked every time the code is run and that’s not what we want.

I just want the user login process (authentication) to be launched when I want.

The user login and the app authorization screens :

Eric

[Ben Coomes]

Ah, 

My bad Eric, I didn't realize you wanted the user to authenticate with Stava every time. I suspect that after you log in the first time, the browser/app caching your credentials from Strava and bypassing the login page on the second go round. I'm not sure I agree with your definitions of authorization and authentication though. 

The first phase is the login process (authenticate) that gives access to the user data in Strava.

- Authentication is really just the user logging in to Strava - proving that they are a particular person, likely by providing an username and password. It has nothing to do with your app at all.

The other phase is the authorization access that gives the right to the app to connect to Strava.

- This is true in a sense, but more specifically authorization grants your app the rights (scopes) which it has requested in respect to the authenticated user. If you app requests write:activity scope, then when a Strava user (who must be authenticated, of course) authorizes your app, your app will be able to get an access token allowing it to write to that users activities (and only write to only that users activities). Your app having the right to connect to Strava is really done when you complete registration, and that's what your apps client id and client secret allow.

I just want the user login process (authentication) to be launched when I want.

Why do you want to control that? Your app will get an authorization token just the same, no matter if the user already has an authenticated session with Strava or not.