Authentication API failing in production right now

Reply

Authentication API failing in production right now

ankerbachryhl
Music Fan

Hey Spotify,

 

I'm using your authentication api to register all my users and everything worked fine since yesterday. I just launced a big ad campaign and suddenly no new users or current ones can sign in and all the api returns are: 400 - 'invalid_request' without any error description or ENOTFOUND accounts.spotify.com. This happens when I'm requesting the authorization_code via: https://accounts.spotify.com/api/token.

 

But as I said everything worked fine since yesterday.

What is wrong?

 

I sincerely hope you can help me out. I'm losing users by the minute.

Regards,

 

Anker

 

40 Replies

spotifyjosh
Spotify
Spotify

To be extra clear, I mean which query parameter keys does your app include after https://accounts.spotify.com/authorize? For example: show_dialog, scope 🙂

roger
Spotify Legend

Is this resolved now or do you still experience issues during the auth_code exchange?

rohitganapathy
Gig Goer

Hey it seems to be working now! any idea what the issue was?

rogerchang1
Regular
It is working for me now as well. I would also like to know what changed.

roger
Spotify Legend

what library are you using for the authorization_code flow?

is it https://github.com/FormidableLabs/react-native-app-auth/ ?

rogerchang1
Regular
Yes that is the one I am using

roger
Spotify Legend

Thanks. I suspect that this library (still investigating) doesn't fully follow the PKCE spec [1].

 

Would it be possible to share the exact query params you are passing to the /authorize endpoint?

And also what (post) params you are setting (skip client secret of course) when calling the api/token?grant_type=?authorization_code

 

Having a concrete example (that used to fail but is working now) might help here.

 

[1] https://tools.ietf.org/html/rfc7636

rogerchang1
Regular
This is what the library is sending to /authorize

https://accounts.spotify.com/authorize?nonce=******&response_type=code&code_challenge_method=S256&sc...

For the api/token endpoint, I am using the same code as the glitch app.
spotifyApi.authorizationGrantCode(code)

Let me know if you need any more details.

roger
Spotify Legend

Ok, that explain a lot.

The first call (the /authorize call), where you obtain the auth code is using the PKCE extension grant_type because you are supplying the code_challenge and code_challenge_method pkce query parameters. I can't find any documentation on https://developer.spotify.com/documentation/general/guides/authorization-guide/ that mentions PKCE. 

 

Then in the second call you are not doing it according to the PKCE spec afaict from

https://github.com/thelinmichael/spotify-web-api-node/blob/2fcd60c30368255dab658b534b4229909ace5d43/...

 

I would recommend to set the usePKCE (default true) (from https://github.com/FormidableLabs/react-native-app-auth/blob/197cf6fa4072f5de788ebee87741be4bd8aadbc...) to false.

 

rogerchang1
Regular
thanks for confirming. I will try your recommendation.
But, why is it working now? Did something change?

ankerbachryhl
Music Fan

Everything works fine for me now too even though I changed nothing. Was this a Spotify problem or can I change anything backstage to prevent it from happening again?

 

I'm using expo client to obtain the code and then Axios javascript library to obtain my token. 

rogerchang1
Regular
I changed usePKCE to false and it still works so I will keep that setting to conform to the Spotify spec. Thanks for the help.

SleeplessByte
Casual Listener


https://accounts.spotify.com/authorize
  ?code_challenge=<some random challenge>
  &code_challenge_method=S256
  &redirect_uri=http%3A%2F%2Flocalhost%3A19006
  &client_id=<client id>
  &response_type=code
  &state=<random state>
  &scope=user-read-email%20user-read-private

The problem was the same as someone else mentioned: PKCE was inadvertently on; it has started working now!

ankerbachryhl
Music Fan
So if it works now, we don't need to change anything to prevent it from happening again, right?

spotifyjosh
Spotify
Spotify

Thanks for sharing details, @ankerbachryhl @SleeplessByte @rohitganapathy @rogerchang1. We made an update to our authentication endpoints on Wednesday. The change was reversed on Friday.

 

We plan to re-introduce Wednesday's code change again later this week with a clearer error message. If your app uses the authorization code flow then please make sure that, when redirecting users to the /authorize endpoint, your app only uses query parameters that are documented in Spotify's OAuth guide. Adding extra query parameters (e.g. code_challenge or code_challenge_method) could cause your app to have compatibility problems again starting on Thursday. 

 

I hope this helps to clear things up - if you have any questions, feel free to ask them here in the thread 🙂

ankerbachryhl
Music Fan

Hey @spotifyjosh

Thank you for a heads up. I must admit this worries me since I have never used the authorization flow any other way than documented in your official docs. I also received an error message on the /api/token endpoint and it seems like you only mention changes in the /authorize endpoint? 

Is there any way that I could test my app with the newest endpoints before an official release? Since I would be very happy to avoid my app breaking in production again. I hope this is understandable. 

Best regards,

Anker

spotifyjosh
Spotify
Spotify

Hi @ankerbachryhl,

 

I would suggest testing your app's installation flow as a new user and stopping after you are redirected to accounts.spotify.com/authorize. Take a look at the query parameters in the URL. You should see client_id, response_type, redirect_uri, and possibly state, scope, and/or show_dialog as described in the OAuth guide. 

Screenshot 2020-05-27 at 03.21.48.png

If there are extra query parameters in the URL (for example code_challenge) then, starting on Thursday, you could receive an error when your app tries to exchange the resulting code for an access token. Hope this helps!

ankerbachryhl
Music Fan

Is the new update released now?

spotifyjosh
Spotify
Spotify

@ankerbachryhl wrote:

Is the new update released now?


Hi @ankerbachryhl, yes. Spotify's OAuth system was updated late last week.

ankerbachryhl
Music Fan

Hi @spotifyjosh

 

I'm glad. My app is still working then with the newly updated API and the regular Spotify login flow.

 

I do still have users reporting issues when using Facebook in the Spotify OAuth flow. This has also only really happened after the API update. 
Is this a known issue?

Best regards,

Anker

SUGGESTED POSTS