Announcements

Help Wizard

Step 1

NEXT STEP

FAQs

Please see below the most popular frequently asked questions.

Loading article...

Loading faqs...

VIEW ALL

Ongoing Issues

Please see below the current ongoing issues which are under investigation.

Loading issue...

Loading ongoing issues...

VIEW ALL

Auth attempts all return "code_verifier required" when using non-PKCE auth between iOS and Web

Auth attempts all return "code_verifier required" when using non-PKCE auth between iOS and Web

Plan

Free/Premium

Country

USA

 

Device

iPhone XR

Operating System

iOS 17.4.1

 

My Question or Issue

I'm trying to authenticate using non-PKCE between Spotify iOS SDK and Web API. Every time I try to exchange the auth code for tokens, I get a 400 error and the body

{"error":"invalid_request","error_description":"code_verifier required"}
 

. However, according to the non-PKCE docs, no code_verifier should be included. My flow is:

 

1. Use my iOS app and Spotify iOS SDK + Spotify app installed to retrieve the authorization code.

2. Pass that code to my service backend to exchange it for the OAuth tokens (refresh and access).

 

Swift

```

// Create a SPTSessionManager

let sessionManager = …

sessionManager?.initiateSession(with: scopes, options: .default)

 

// In my AppDelegate URL processing callback

guard let appRemote = appRemote else { return }

guard let parameters = appRemote.authorizationParameters(from: url) else { return }

guard let access_code = parameters["code"] else { return }

logger.info("Spotify Access Code: \(String(describing: access_code))")

```

 

All this works, and I see an access code.  I then pass that code to my Node.js backend to exchange the code for tokens and store the tokens (so I can make Web API calls later). The called URL is `https://accounts.spotify.com/api/token`.

 

```

logger.info('Exchanging code for tokens');

const encodedCredentials = this.encodeClientCredentials({

  clientId: this.clientId,

  clientSecret: this.clientSecret,

});

const response = await this.fetchFunction(this.accessTokenUrl,

  {

    method: 'POST',

    headers: {

      'Content-Type': 'application/x-www-form-urlencoded',

      Authorization: encodedCredentials,

    },

    body: this.generateTokensRequestBody(code),

  });

if (!response.ok) {

  throw new Error(await response.text());

}

logger.info('Fetch function succeeded, parsing response...');

const data = await response.json();

const accessToken = data.access_token;

const refreshToken = data.refresh_token;

```

 

This is `generateTokensRequestBody()` seen above:

 

```

return new URLSearchParams({

  grant_type: 'authorization_code',

  code,

  redirect_uri: this.redirectUri,

});

```

 

As far as I can tell, I _cannot_ use PKCE because there's nowhere in the iOS SDK to provide the `code_verifier`. If I tried to pass the `code_verifier` when I exchange the code for the tokens, there's no previous call to reference.

Reply
1 Reply

I am also having this issue. Were you able to find a solution?

Suggested posts