Auth attempts all return "code_verifier required" when using non-PKCE auth between iOS and Web

StudioInit — Wed, 22 May 2024 14:13:02 GMT

Plan

Free/Premium

Country

USA

Device

iPhone XR

Operating System

iOS 17.4.1

My Question or Issue

I'm trying to authenticate using non-PKCE between Spotify iOS SDK and Web API. Every time I try to exchange the auth code for tokens, I get a 400 error and the body

{"error":"invalid_request","error_description":"code_verifier required"}

. However, according to the non-PKCE docs, no code_verifier should be included. My flow is:

1. Use my iOS app and Spotify iOS SDK + Spotify app installed to retrieve the authorization code.

2. Pass that code to my service backend to exchange it for the OAuth tokens (refresh and access).

Swift

```

// Create a SPTSessionManager

let sessionManager = …

sessionManager?.initiateSession(with: scopes, options: .default)

// In my AppDelegate URL processing callback

guard let appRemote = appRemote else { return }

guard let parameters = appRemote.authorizationParameters(from: url) else { return }

guard let access_code = parameters["code"] else { return }

logger.info("Spotify Access Code: \(String(describing: access_code))")

```

All this works, and I see an access code. I then pass that code to my Node.js backend to exchange the code for tokens and store the tokens (so I can make Web API calls later). The called URL is `https://accounts.spotify.com/api/token`.

```

logger.info('Exchanging code for tokens');

const encodedCredentials = this.encodeClientCredentials({

clientId: this.clientId,

clientSecret: this.clientSecret,

});

const response = await this.fetchFunction(this.accessTokenUrl,

{

method: 'POST',

headers: {

'Content-Type': 'application/x-www-form-urlencoded',

Authorization: encodedCredentials,

body: this.generateTokensRequestBody(code),

});

if (!response.ok) {

throw new Error(await response.text());

}

logger.info('Fetch function succeeded, parsing response...');

const data = await response.json();

const accessToken = data.access_token;

const refreshToken = data.refresh_token;

```

This is `generateTokensRequestBody()` seen above:

```

return new URLSearchParams({

grant_type: 'authorization_code',

code,

redirect_uri: this.redirectUri,

});

```

As far as I can tell, I _cannot_ use PKCE because there's nowhere in the iOS SDK to provide the `code_verifier`. If I tried to pass the `code_verifier` when I exchange the code for the tokens, there's no previous call to reference.

Re: Auth attempts all return "code_verifier required" when using non-PKCE auth between iOS

jcrm1 — Thu, 31 Oct 2024 18:46:39 GMT

I am also having this issue. Were you able to find a solution?

topic Auth attempts all return "code_verifier required" when using non-PKCE auth between iOS and Web in Spotify for Developers

Auth attempts all return "code_verifier required" when using non-PKCE auth between iOS and Web

Re: Auth attempts all return "code_verifier required" when using non-PKCE auth between iOS