The authentication process with the Strava API on mobile platforms can vary slightly depending on the operating system (Android vs. iOS) due to the guidelines and policies set by the App Store and Google Play Store. This article explains how to implement the mobile authentication flow on Android and iOS, detailing OAuth mobile, access tokens, and how to redirect users to either the Strava mobile app or the web version depending on whether the app is installed.
Mobile OAuth for Strava
OAuth is the protocol used for user authentication when integrating with third-party services like Strava. However, there are specific parameters and limitations associated with OAuth mobile:
Access Tokens:
OAuth mobile supports short-lived access tokens and refresh tokens. Permanent access tokens are not supported.
Strava App Version Requirements:
To use OAuth mobile, users must have version 75.0 or later of the Strava app installed.
Redirection for Users Without the App:
Users who do not have the Strava app installed or have an outdated version will be redirected to the Strava mobile web version to complete the authentication process.
Authentication Flow on Android
On Android, applications can use an implicit Intent to redirect users to the Strava authentication flow. If the user has the Strava app installed, it will automatically open. If not, the authentication flow will continue on the web.
Sample Code for Android
val intentUri = Uri.parse("https://www.strava.com/oauth/mobile/authorize")
.buildUpon()
.appendQueryParameter("client_id", "1234321")
.appendQueryParameter("redirect_uri", "https://www.yourapp.com")
.appendQueryParameter("response_type", "code")
.appendQueryParameter("approval_prompt", "auto")
.appendQueryParameter("scope", "activity:write,read")
.build()
val intent = Intent(Intent.ACTION_VIEW, intentUri)
startActivity(intent)
val intentUri = Uri.parse("https://www.strava.com/oauth/mobile/authorize")
.buildUpon()
.appendQueryParameter("client_id", "1234321")
.appendQueryParameter("redirect_uri", "https://www.yourapp.com")
.appendQueryParameter("response_type", "code")
.appendQueryParameter("approval_prompt", "auto")
.appendQueryParameter("scope", "activity:write,read")
.build()
val intent = Intent(Intent.ACTION_VIEW, intentUri)
startActivity(intent)
Review
client_id: Your registered client ID on Strava.
redirect_uri: The URL to redirect to after authentication is complete.
response_type: The type of response expected from the Strava API (in this case, an authorization code).
approval_prompt: Controls whether the approval prompt is shown.
scope: The permissions being requested (activity read/write in this case).
Authentication Flow on iOS
On iOS, the authentication flow depends on whether the Strava app is installed. If it is, an URL scheme is used to directly open the Strava app. If not, a web flow with SFAuthenticationSession or ASWebAuthenticationSession is used to complete the authentication in a browser without leaving the app.
Prerequisites for iOS
iOS 9.0 or later: The app must support iOS 9.0 or later.
Info.plist: To check if the Strava app is installed, you need to add the strava URL scheme to the LSApplicationQueriesSchemes list in the app’s Info.plist.
Sample Code for iOS
private var authSession: SFAuthenticationSession?
let appOAuthUrlStravaScheme = URL(string: "strava://oauth/mobile/authorize ?client_id=1234321&redirect_uri=YourApp%3A%2F%2Fwww.yourapp.com%2Fen-US&response_type=code&approval_prompt=auto&scope=activity%3Awrite%2Cread&state=test")!
let webOAuthUrl = URL(string: "https://www.strava.com/oauth/mobile/authorize?client_id=1234321&redirect_uri=YourApp%3A%2F%2Fwww.yourapp.com%2Fen-US&response_type=code&approval_prompt=auto&scope=activity%3Awrite%2Cread&state=test")!
@IBAction func authenticate() {
if UIApplication.shared.canOpenURL(appOAuthUrlStravaScheme) {
UIApplication.shared.open(appOAuthUrlStravaScheme, options: [:])
} else {
authSession = SFAuthenticationSession(url: webOAuthUrl, callbackURLScheme: "YourApp://") { url, error in
"YourApp://") { url, error in
// Handle the callback
}
authSession?.start()
}
}
Review
canOpenURL: Checks if the Strava app is installed using its URL scheme (strava://).
If installed, the app is opened directly with the strava:// URL scheme
If not installed, the app falls back to using SFAuthenticationSession to perform the authentication in the app’s browser.
Considerations
Error Handling: It's crucial to handle network errors and exceptions properly on both Android and iOS. For example, if authentication fails or there is a network error, the app should provide a fallback mechanism to inform the user.
Backward Compatibility: If users have older versions of Strava, they will be redirected to the mobile web for authentication. Ensure this flow works seamlessly to avoid user frustration.
Transparent Redirection for Users: The redirection flow should be as transparent as possible, ensuring that the user is not interrupted during the authentication process.
Thorough Testing: Be sure to test the authentication flow on both platforms with various configurations (users with and without the app installed, different iOS and Android versions).
More Information
For more details on how to implement OAuth authentication with Strava, refer to the official Strava authentication documentation.
If you have any questions about the integration or need assistance at any stage, please don’t hesitate to contact our Customer Success (CS) support team, we’re here to help.
Important: This process can take several weeks and partly depends on the timelines of Strava’s review and approval process. We strongly recommend starting early to avoid any delays to your launch. Please note that approval is determined solely by Strava and does not depend on ROOK.