I’m currently testing out a proof-of-concept for our product’s integration with Coinbase via OAuth2.
I’m noticing that every time I initiate authorization (as a test), I’m always prompted to agree to “consent” and a new “Third-Party Application” entry appears in the “Activity” > “Third-Party Applications” section of my Coinbase dashboard. Here’s a screenshot:
I’m testing against the same OAuth2 application (same client_id), so I’d expect that Coinbase would persist my consent the first time as well as not treat the same application as a unique app.
I may be mistaken though, is this expected behavior with Coinbase?
Hi @ian-ridian! Thank you for taking an interest in trying out Coinbase APIs. Upon investigating with our team, we might need some clarification first for better assisting with your concern. May we ask if you are using an OAuth2 Library or if you are Integrating it manually? Thank you.
It sounds like you are going through authorization flow multiple times, causing you to keep getting prompted to authorize/consent to the application. This is also a likely reason why there are multiple instances of the application showing up in your Third-Party Applications page.
Can you confirm that after a user has authorized for the first time, that on subsequent attempts to login that you are then using the refresh_token to obtain a new access_token for that user? Please see our docs site for more information: Access tokens and refresh tokens
Hi @bazinga! Yes, i’m testing by initiated the authorization request each time.
My assumption is that each authorization request and user consent would persist, as in, Coinbase would remember and doesn’t have to ask each time – I’m guessing this is also what’s causing a new “authorized application” to show up on my test user’s dashboard? Is this expected behavior?
I’m not testing with the refresh token yet, but I intend to use it for refreshing tokens when they expire. Right now I’m just testing the entire authorization code flow from beginning to end, and am noticing that i’m prompted for consent each time, and a new “authorized application” shows up on my test user’s dashboard for each one of those “consents”.
Hi @LaRisa, this isn’t blocking yet, we’re still pretty early in the testing phase, this is just something I was noticing and wanted to confirm with y’all if this is the expected user experience. Thank you so much for looking into this for us!
Hello @ian-ridian! Thank you for your patience. We’ve already forwarded this to our team of specialists. We will get back to you once we have more information. Keep in touch!
Hi @ian-ridian! We sincerely apologize for the delays in our response. Please be advised that this has been tagged as a bug with our internal teams. Rest assured that the relevant teams are already looking into this and we’ll keep you posted once we have updates. Thank you and have a great day!
