Announcements

Help Wizard

Step 1

NEXT STEP

Auth attempts all return "code_verifier required" when using non-PKCE auth between iOS and Web

Auth attempts all return "code_verifier required" when using non-PKCE auth between iOS and Web

Avatar of StudioInit
Newbie
2024-05-22 02:19 AM

Plan

Free/Premium

Country

USA

 

Device

iPhone XR

Operating System

iOS 17.4.1

 

My Question or Issue

I'm trying to authenticate using non-PKCE between Spotify iOS SDK and Web API. Every time I try to exchange the auth code for tokens, I get a 400 error and the body

{"error":"invalid_request","error_description":"code_verifier required"}
 

. However, according to the non-PKCE docs, no code_verifier should be included. My flow is:

 

1. Use my iOS app and Spotify iOS SDK + Spotify app installed to retrieve the authorization code.

2. Pass that code to my service backend to exchange it for the OAuth tokens (refresh and access).

 

Swift

```

// Create a SPTSessionManager

let sessionManager = …

sessionManager?.initiateSession(with: scopes, options: .default)

 

// In my AppDelegate URL processing callback

guard let appRemote = appRemote else { return }

guard let parameters = appRemote.authorizationParameters(from: url) else { return }

guard let access_code = parameters["code"] else { return }

logger.info("Spotify Access Code: \(String(describing: access_code))")

```

 

All this works, and I see an access code.  I then pass that code to my Node.js backend to exchange the code for tokens and store the tokens (so I can make Web API calls later). The called URL is `https://accounts.spotify.com/api/token`.

 

```

logger.info('Exchanging code for tokens');

const encodedCredentials = this.encodeClientCredentials({

  clientId: this.clientId,

  clientSecret: this.clientSecret,

});

const response = await this.fetchFunction(this.accessTokenUrl,

  {

    method: 'POST',

    headers: {

      'Content-Type': 'application/x-www-form-urlencoded',

      Authorization: encodedCredentials,

    },

    body: this.generateTokensRequestBody(code),

  });

if (!response.ok) {

  throw new Error(await response.text());

}

logger.info('Fetch function succeeded, parsing response...');

const data = await response.json();

const accessToken = data.access_token;

const refreshToken = data.refresh_token;

```

 

This is `generateTokensRequestBody()` seen above:

 

```

return new URLSearchParams({

  grant_type: 'authorization_code',

  code,

  redirect_uri: this.redirectUri,

});

```

 

As far as I can tell, I _cannot_ use PKCE because there's nowhere in the iOS SDK to provide the `code_verifier`. If I tried to pass the `code_verifier` when I exchange the code for the tokens, there's no previous call to reference.

1 person had this problem.
0 Likes
Reply
1 Reply

Avatar of jcrm1
Casual Listener
2024-10-31 07:46 PM

I am also having this issue. Were you able to find a solution?

0 Likes

Suggested posts

Let's introduce ourselves!

Hey there you,   Yeah, you! 😁   Welcome - we're glad you joined the Spotify Community!   While you here, let's have a fun game and get…

ModeratorStaff / Moderator/ 4 years ago  in Social & Random