403 Forbidden for URL -- accounts created through ...

mcoquet · 2021-08-08

Hello Spotify Developers,

I am not sure if this is a bug, a security feature, or something I am not grasping, but I am planning an app which requires users to login through their spotify account and retrieves some information. Everything works as expected except for users who created their spotify accounts through facebook, then the authorization flow fails with a 403 forbidden here is how to replicate what I am seeing:

following the authorization guide step by step:

follow the URL below with a real client_id and secret. Also you need to have https://example.com:8000/social-auth/complete/spotify/ in your valid redirect uri list for spotify developer dashboard.

https://accounts.spotify.com/authorize?client_id=${client_id}&response_type=code&redirect_uri=https%...

After login and agreeing to the scopes retrieve the code value and run
$ curl -d code=${code} -d client_id=${client_id} -d client_secret=${client_secret} -d grant_type="authorization_code" -d redirect_uri='https://example.com:8000/social-auth/complete/spotify/' https://accounts.spotify.com/api/token
retrieve the access_token value and run
$ curl -X "GET" "https://api.spotify.com/v1/me" -H "Accept: application/json" -H "Content-Type: application/json" -H "Authorization: Bearer ${access_token}"

If I follow this with a spotify account created with an email it returns the expected data, but when I follow it with a spotify account that is created with a facebook account it returns a 403 Forbidden for url: https://api.spotify.com/v1/me error as if it never recieved the proper scope for the endpoint. When I try the endpoint at https://developer.spotify.com/console/get-current-user/ it works fine, so what am I missing here?

How can I use the https://api.spotify.com/v1/me for Spotify accounts that were created through Facebook?

Thanks for the help!

mcoquet2 · 2021-08-20

So after almost 2 weeks of messing around with this I figured it out if anybody else is having this strange issue. I discovered that if I started a new developer account with an account created through Facebook then the endpoint works for all social users, but if the developer account was created with an email through Spotify then only other "email" accounts can use the endpoint. This doesn't seem like how it should be functioning to me, but at least I have it working now.

Peter_Schorn · 2021-08-20

Your issue has absolutely nothing to do with whether the Spotify account was created through Facebook or not. It has to to with the new "Development mode" that Spotify introduced for all new developer applications. In this mode, you must explicitly whitelist up to 25 users that you want to use your app. If a user is not whitelisted, you will get a 403 forbidden status code in the response. You should've inspected the body of the response, which will say "User not approved for app".

See https://developer.spotify.com/community/news/2021/05/27/improving-the-developer-and-user-experience-....

mcoquet2 · 2021-08-22

Hey Peter,

Thanks for the reply. I had read about development mode and whitelisting users and all that, but I never found that I actually had to do any of that. We had 5 seperate accounts that could access our development mode account, and 3 that couldn't, yet there are 0 users in the whitelist. If we had to explicitly whitelist users like in the docs then shouldn't I be the only one who can have access?

Also thanks to your reply I figured out why the Facebook account was the only account that all users could access since it was the only Facebook account we had and I forgot it was granted the extended quota. However I'm still confused why the developers accounts can have some users access while others get the 403 (I've never touched a whitelist).

I inspected the body of the 403 response and it wasn't the "user not approved" one. I was getting annoyed with all the google searches coming up with that instead of what I was getting, which is the same one as if you give an endpoint the wrong scopes, so I posted this.

I'm contacting Spotify support since it might have to do with the professional account then completly forget about again.

Cheers Mate!

Peter_Schorn · 2021-08-22

Spotify developer applications that were created before a specified date are automatically granted an extended quota, meaning that no whitelisting is required. Are you sure the difference between these accounts that explains your issue isn't merely the date they were created?

Help categories

Account & Payment

Using Spotify

Listen Everywhere