Friday, June 2, 2017

Re: OAuth with GWT against Strava API

On Friday, June 2, 2017 at 8:32:23 AM UTC+2, Frank wrote:
I am trying to create a GWT application against the Strava API. The first thing to do is authentication.

On they say that for the token exchange you have to do something like :

curl -X POST \ -F client_id=5 \ -F client_secret=7b2946535949ae70f015d696d8ac602830ece412 \ -F code=75e251e3ff8fff

As far as I know those -F things represent fields in a multiform post ? 
So I created something like : 

final FormPanel form = new FormPanel(); 
VerticalPanel panel = new VerticalPanel(); 
panel.add(new Hidden("client_id", CLIENT_ID)); 
panel.add(new Hidden("client_secret", CLIENT_SECRET)); 
panel.add(new Hidden("code", code)); 
form.addSubmitCompleteHandler(new FormPanel.SubmitCompleteHandler() 
   public void onSubmitComplete(SubmitCompleteEvent event) 
      GWT.log("complete " + event.getResults()); 
container.addAttachHandler(new AttachEvent.Handler() 
   public void onAttachOrDetach(AttachEvent event) 

Now when I do this I see the following error in Chrome dev tools :

Refused to display '' in a frame because it set 'X-Frame-Options' to 'deny'. POST net::ERR_BLOCKED_BY_RESPONSE

Now the questions are. 
Am I correct by creating a form to mimic that curl example ? 

For 2 reasons:
  • the response will be JSON
  • you will never ever want to expose your client_secret! Keep it secret! i.e. never put it in your client code!
    (anyone with your client_secret can "identify" as your application, which means that users who have already approved your app won't be asked again; there's still redirect_uri checks, but the doc says they only match on the domain or subdomain, so if you have an open redirect somewhere, you're doomed – and in one year from now, GDPR in Europe means you'll be liable for leaking personal data that way)
This means that you need some server code to handle the OAuth 2 authorization.

Lastly, this is not OAuth 2: OAuth 2 says the request has to be in application/x-www-form-urlencoded, and it must have a grant_type=authorization_code field.
Hopefully they do support application/x-www-form-urlencoded as well, so you could use existing OAuth2 libraries (that will take care of most of the security effort).

You could possibly expose the access_token to your client code, but be very careful not to "leak" it (make sure you don't have XSS vulnerabilities for instance, and use HTTPS – in 2017, nothing should see the light of day without HTTPS anyway, particularly if it handles personal data). I would actually highly suggest you make requests to your server which will then make requests to the Strava API, and have only your server know the access_token)

Has that frame error something to do with GWT using IFRAME stuff ?

How do I fix this ?

Don't follow the doc blindly; use an OAuth2 library. Even better, use a specialized Strava library:
And put security and privacy first.

You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To post to this group, send email to
Visit this group at
For more options, visit

No comments:

Post a Comment