Authorization: code_verifier was incorrect

NicTc · 2024-02-02

Hi,

We are having some trouble implementing the IOS Spotify SDK. We use it in the context of user authorisation in order to get the `code`. We pass the `code` to our api (where it is transformed). Our api (nodejs) calls a spotify token endpoint and we keep getting an error `code_verifier was incorrect`. We tried regenerating it and we still get the same error. The `redirectUri` is correctly registered and we use it with both api and mobile. On Android it works correctly (with and without `code_verifier`).

If anyone can help, please let us know. Thanks

Plan

Free

Country

France

Device

ios 17.2.1 iphone 14 pro max

31safsgh6i2ollitqvaa · 2024-04-09

I'd be glad to provide a response that addresses the points raised, incorporates insights from the ratings, and offers the best possible guidance for Spotify integration using the iOS SDK with PKCE:
Understanding the Issue:
You're absolutely correct in identifying the challenge when using PKCE with the Spotify iOS SDK. The standard SDK flow doesn't directly provide the authorization code within the app itself due to security concerns. This can lead to confusion when attempting to implement a backend server for token exchange using PKCE.
Alternative Approach with Custom Redirect URI:
The approach you described, where you modified the redirectURI to a custom scheme (spotify-musicsdk://spotify-login-callback), is a viable workaround. However, it's essential to be aware of its limitations and potential security implications.
Limitations and Security Considerations:
Custom Scheme Redirect: This approach bypasses the standard Spotify login flow, which might lead to compatibility issues with future Spotify SDK updates or Spotify app behavior.
Security Concerns: Using a custom scheme redirect can introduce a vulnerability if the logic for handling the redirect URI isn't implemented securely. A malicious app might potentially intercept the redirect and steal the authorization code.
Recommendations and Best Practices:
Full PKCE Implementation with Backend Server:
While the Spotify iOS SDK doesn't natively handle the full PKCE flow within the app, it's strongly recommended for enhanced security.
Here's the process:
Implement the Authorization Code Flow with PKCE on your backend server. This involves generating a code verifier and challenge, handling the redirect URI (which can be your backend server's URL), and exchanging the authorization code for tokens. Refer to Spotify's documentation: https://developer.spotify.com/documentation/web-api/tutorials/code-flow
Use the standard Spotify iOS SDK authorization flow with the redirectURIpointing to your backend server.
Upon successful user login, Spotify redirects the user to your backend server's redirect URI with the authorization code.
Your backend server uses the PKCE flow (code verifier and challenge) to exchange the authorization code for access and refresh tokens securely.
The backend server can then send the tokens back to your app for further use.
Security Measures:
Implement robust security measures on your backend server:
Use HTTPS for communication between the Spotify iOS SDK and your backend server.
Securely store refresh tokens on your backend server. Consider using a database or encrypted storage mechanisms.
Example:- I'd in my app:-

private let spotifyRedirectURI = URL(string: "spotify-musicsdk://spotify-login-callback")

lazy var configuration: SPTConfiguration? = {
if let spotifyRedirectURI = spotifyRedirectURI {
let configuration = SPTConfiguration(clientID: spotifyClientID, redirectURL: spotifyRedirectURI)
configuration.tokenSwapURL = URL(string: "http://localhost:1234/swap")
configuration.tokenRefreshURL = URL(string: "http://localhost:1234/refresh")
return configuration
}
return nil
}()

Help categories

Account & Payment

Using Spotify

Listen Everywhere