Spotify Community

Is this resolved now or do you still experience issues during the auth_code exchange?

Hey it seems to be working now! any idea what the issue was?

what library are you using for the authorization_code flow?

is it https://github.com/FormidableLabs/react-native-app-auth/ ?

Thanks. I suspect that this library (still investigating) doesn't fully follow the PKCE spec [1].

Would it be possible to share the exact query params you are passing to the /authorize endpoint?

And also what (post) params you are setting (skip client secret of course) when calling the api/token?grant_type=?authorization_code

Having a concrete example (that used to fail but is working now) might help here.

[1] https://tools.ietf.org/html/rfc7636

Ok, that explain a lot.

The first call (the /authorize call), where you obtain the auth code is using the PKCE extension grant_type because you are supplying the code_challenge and code_challenge_method pkce query parameters. I can't find any documentation on https://developer.spotify.com/documentation/general/guides/authorization-guide/ that mentions PKCE. 

Then in the second call you are not doing it according to the PKCE spec afaict from

https://github.com/thelinmichael/spotify-web-api-node/blob/2fcd60c30368255dab658b534b4229909ace5d43/...

I would recommend to set the usePKCE (default true) (from https://github.com/FormidableLabs/react-native-app-auth/blob/197cf6fa4072f5de788ebee87741be4bd8aadbc...) to false.

Everything works fine for me now too even though I changed nothing. Was this a Spotify problem or can I change anything backstage to prevent it from happening again?

I'm using expo client to obtain the code and then Axios javascript library to obtain my token. 

https://accounts.spotify.com/authorize
  ?code_challenge=<some random challenge>
  &code_challenge_method=S256
  &redirect_uri=http%3A%2F%2Flocalhost%3A19006
  &client_id=<client id>
  &response_type=code
  &state=<random state>
  &scope=user-read-email%20user-read-private

The problem was the same as someone else mentioned: PKCE was inadvertently on; it has started working now!

Thanks for sharing details, @ankerbachryhl @SleeplessByte @rohitganapathy @rogerchang1. We made an update to our authentication endpoints on Wednesday. The change was reversed on Friday.

We plan to re-introduce Wednesday's code change again later this week with a clearer error message. If your app uses the authorization code flow then please make sure that, when redirecting users to the /authorize endpoint, your app only uses query parameters that are documented in Spotify's OAuth guide. Adding extra query parameters (e.g. code_challenge or code_challenge_method) could cause your app to have compatibility problems again starting on Thursday. 

I hope this helps to clear things up - if you have any questions, feel free to ask them here in the thread 🙂

Hey @spotifyjosh

Thank you for a heads up. I must admit this worries me since I have never used the authorization flow any other way than documented in your official docs. I also received an error message on the /api/token endpoint and it seems like you only mention changes in the /authorize endpoint? 

Is there any way that I could test my app with the newest endpoints before an official release? Since I would be very happy to avoid my app breaking in production again. I hope this is understandable. 

Best regards,

Anker

Hi @ankerbachryhl,

I would suggest testing your app's installation flow as a new user and stopping after you are redirected to accounts.spotify.com/authorize. Take a look at the query parameters in the URL. You should see client_id, response_type, redirect_uri, and possibly state, scope, and/or show_dialog as described in the OAuth guide. 

If there are extra query parameters in the URL (for example code_challenge) then, starting on Thursday, you could receive an error when your app tries to exchange the resulting code for an access token. Hope this helps!

Is the new update released now?

---

@ankerbachryhl wrote:

Is the new update released now?

---

Hi @ankerbachryhl, yes. Spotify's OAuth system was updated late last week.

Hi @spotifyjosh

I'm glad. My app is still working then with the newly updated API and the regular Spotify login flow.

I do still have users reporting issues when using Facebook in the Spotify OAuth flow. This has also only really happened after the API update. 
Is this a known issue?

Best regards,

Anker