Intervals.icu OAuth support

John_Peters_endura.f · 7 September 2021 06:45

Thanks. Got a dummy app working with Strava api and oauth last night so think I get it.

david · 7 September 2021 06:46

Shot. Intervals.icu is a bit easier because it doesn’t use refresh tokens, only access tokens.

app4g · 15 February 2022 10:43

Is there a limitation for oAuth access to only be limited to one device at any one time?
When I auth using my ipad, i can upload data. But when I do the same to my (already auth) iPhone. I have to re-auth again to be able to upload data.

I’ve never really delve down deeper why this is the case for intervals, DropBox and Strava seems to work for both devices.

david · 15 February 2022 10:44

Nothing that I am aware of. Intervals.icu only cares that the correct Bearer token is supplied, not where it is coming from.

app4g · 15 February 2022 10:46

I’ll check if the token is the same for both devices then.

app4g · 15 February 2022 11:36

Just checked. Seems like the Access Token is different between the ipad and the iphone w/ the same login. Is this expected?

Thanks

david · 15 February 2022 19:40

Hmm. I just had a look at the code and a new token is generated each time a user auths an app and this replaces whatever token might already exist. I could return the existing token if there is one for the app. I wonder if there are any security implications?

Matthew_Roche · 17 April 2022 07:08

For those trying to use this login flow for mobile apps, storing the client secret within your app is a security vulnerability as the secret can be read from the API calls your app makes during the login process. I have developed an AWS Lambda script to proxy the OAuth calls and keep the client secret secure. If this is useful to anyone in the future it is here: Python OAuth flow for Intervals.icu Lambda · GitHub

Matthew_Roche · 17 April 2022 07:11

I’ve noticed this to be a problem too David, I can’t see any problem returning an existing token but I’m no security expert…

app4g · 24 April 2022 08:22

If I read it correctly, you’re saying that your app (fitnessFatigue) uses this script that is hosted on AWS Lambda to get the accessTokens back to your app?

eg:
Your App → Call Login → Login page triggers the AWS Lambda script → AWS Lambda script executes and then returns the access token → Your App

Is that the flow?

I just took at look at AWS Lambda, basically you need an account as well as pay some amount of money for this service correct?

You’re storing your access token in the iCloud KeyChain correct? I’m no security expert either, but it’s a lot better than me rolling my own. Plus, now 1 token for all devices seems to work.

Matthew_Roche · 25 April 2022 19:05

Hi, thank for your reply.

Yep, you do need to pay to use AWS, but there is a free tier of one million requests per month…

You’re absolutely right about the login flow. The “Redirect URI” that you provide when you sign up should link to the Lambda script. The code on line 76 links back to your app using [a custom URL].(Apple Developer Documentation)

As you say, the access token is stored in Keychain for security.

pmcarlos · 30 August 2022 21:30

@david Does this access_token expire eventually? I’m getting 403 after a couple of hours or so. It could be due to testing in different devices multiple times, but wanna be sure
Also, what happens with the access_token if user logins in another device, does the old one expires?

app4g · 30 August 2022 21:46

AFAIK, the token is once-off (never had to re-login to get a new one)
Whenever a new login is detected, a new token gets generated and that would be the token that has to be used across all your devices. The old one is discarded.

Intervals.icu only generates 1 single token for all your devices, so in order to be able to access, you need to share this token across all your devices.

On My App, I am using the user’s encrypted keychain. Most of these were discussed in just a few posts above.

pmcarlos · 30 August 2022 21:47

Thanks for your response, I’ll update my app accordingly then

david · 2 September 2022 08:16

It is as app4g says. I am planning to support multiple access tokens per app soon. That was an oversight on my part.

Leonid_Kholkine · 21 September 2023 09:27

Coming back to this, is multi access token already supported?

Thanks!

david · 1 October 2023 12:33

I just implemented that. There can be many access tokens for an athlete linked to an app, once for each time they authorise it. The most recent scopes apply to all access tokens.

Leonid_Kholkine · 7 November 2023 13:48

Thanks! One more question, is there also a scope for managing my athletes? The use case it’s that coaches will be connecting to intervals.

EDIT: Found it in Swagger, there is a ATHLETES scope, but still doesn’t seem to work.

EDIT2: It seems accessing /athletes seems to work with my own API key but not through the bearer token where I get 403.

david · 7 November 2023 16:13

Currently oauth tokens grant access to the authorising athlete’s data but not to people they follow or coach. This is by design so someone who follows you can’t auth a 3rd party app which then gains access to your data. I think you need to get each athlete to auth your app and then use the correct token depending on the athlete.

Will this work?

Leonid_Kholkine · 7 November 2023 16:18

The only (specific) issue to us, it’s that we work with coaches and use there data. Unfortunatly our whole data platform is built around the idea of 1 connection → multiple athletes. This was following the same logic as TrainingPeaks basically, where the coached athletes are also available through the API.