I’m currently testing out a proof-of-concept for our product’s integration with Coinbase via OAuth2.
I’m noticing that every time I initiate authorization (as a test), I’m always prompted to agree to “consent” and a new “Third-Party Application” entry appears in the “Activity” > “Third-Party Applications” section of my Coinbase dashboard. Here’s a screenshot:
I’m testing against the same OAuth2 application (same
client_id), so I’d expect that Coinbase would persist my consent the first time as well as not treat the same application as a unique app.
I may be mistaken though, is this expected behavior with Coinbase?
Hi @ian-ridian! Thank you for taking an interest in trying out Coinbase APIs. Upon investigating with our team, we might need some clarification first for better assisting with your concern. May we ask if you are using an OAuth2 Library or if you are Integrating it manually? Thank you.
Hi @danpaolo.ballares! Thanks for the quick reply here! I’m currently leveraging the python library authlib.
Thank you for confirming!
It sounds like you are going through authorization flow multiple times, causing you to keep getting prompted to authorize/consent to the application. This is also a likely reason why there are multiple instances of the application showing up in your Third-Party Applications page.
Can you confirm that after a user has authorized for the first time, that on subsequent attempts to login that you are then using the refresh_token to obtain a new access_token for that user? Please see our docs site for more information: Access tokens and refresh tokens
Hi @camille.decastro! Yes, i’m testing by initiated the authorization request each time.
My assumption is that each authorization request and user consent would persist, as in, Coinbase would remember and doesn’t have to ask each time – I’m guessing this is also what’s causing a new “authorized application” to show up on my test user’s dashboard? Is this expected behavior?
I’m not testing with the refresh token yet, but I intend to use it for refreshing tokens when they expire. Right now I’m just testing the entire authorization code flow from beginning to end, and am noticing that i’m prompted for consent each time, and a new “authorized application” shows up on my test user’s dashboard for each one of those “consents”.
Hello @ian-ridian, thank you for clarifying.
This is not something that we have seen reported before, but this behaviour is likely due to initiating the authorization request each time.
- Can you confirm if this is blocking you or causing issues with building and testing your integration?
In the meantime, we will flag this to our product team to take a look and advise on what may be causing this.
Hi @riza.espiritu, this isn’t blocking yet, we’re still pretty early in the testing phase, this is just something I was noticing and wanted to confirm with y’all if this is the expected user experience. Thank you so much for looking into this for us!
Just following up on this, has there been any updates on this investigation?
Hello @ian-ridian! Thank you for your patience. We’ve already forwarded this to our team of specialists. We will get back to you once we have more information. Keep in touch!
Thank you for the update, @joshmer.briones!