Plan
Free/Premium
Country
USA
Device
iPhone XR
Operating System
iOS 17.4.1
My Question or Issue
I'm trying to authenticate using non-PKCE between Spotify iOS SDK and Web API. Every time I try to exchange the auth code for tokens, I get a 400 error and the body
{"error":"invalid_request","error_description":"code_verifier required"}
. However, according to the non-PKCE docs, no code_verifier should be included. My flow is:
1. Use my iOS app and Spotify iOS SDK + Spotify app installed to retrieve the authorization code.
2. Pass that code to my service backend to exchange it for the OAuth tokens (refresh and access).
Swift
```
// Create a SPTSessionManager
let sessionManager = …
sessionManager?.initiateSession(with: scopes, options: .default)
// In my AppDelegate URL processing callback
guard let appRemote = appRemote else { return }
guard let parameters = appRemote.authorizationParameters(from: url) else { return }
guard let access_code = parameters["code"] else { return }
logger.info("Spotify Access Code: \(String(describing: access_code))")
```
All this works, and I see an access code. I then pass that code to my Node.js backend to exchange the code for tokens and store the tokens (so I can make Web API calls later). The called URL is `https://accounts.spotify.com/api/token`.
```
logger.info('Exchanging code for tokens');
const encodedCredentials = this.encodeClientCredentials({
clientId: this.clientId,
clientSecret: this.clientSecret,
});
const response = await this.fetchFunction(this.accessTokenUrl,
{
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
Authorization: encodedCredentials,
},
body: this.generateTokensRequestBody(code),
});
if (!response.ok) {
throw new Error(await response.text());
}
logger.info('Fetch function succeeded, parsing response...');
const data = await response.json();
const accessToken = data.access_token;
const refreshToken = data.refresh_token;
```
This is `generateTokensRequestBody()` seen above:
```
return new URLSearchParams({
grant_type: 'authorization_code',
code,
redirect_uri: this.redirectUri,
});
```
As far as I can tell, I _cannot_ use PKCE because there's nowhere in the iOS SDK to provide the `code_verifier`. If I tried to pass the `code_verifier` when I exchange the code for the tokens, there's no previous call to reference.