Announcements

Help Wizard

Step 1

NEXT STEP

FAQs

Please see below the most popular frequently asked questions.

Loading article...

Loading faqs...

VIEW ALL

Ongoing Issues

Please see below the current ongoing issues which are under investigation.

Loading issue...

Loading ongoing issues...

VIEW ALL

CORS openid-configuration

Solved!

CORS openid-configuration

I am trying to use OIDC for auth.

When my Blazor WASM client-app (which runs in the browser) attempts to hit https://accounts.spotify.com/.well-known/openid-configuration the response fails because of CORS. The error is:
Access to XMLHttpRequest at 'https://accounts.spotify.com/.well-known/openid-configuration' from origin 'https://localhost:5001' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

If I paste that URL into the browser, success.

Also, I am unable to find Spotify's oidc documentation

Reply

Accepted Solutions
Marked as solution

We experiment and explore many different things, some make it into production, some don't. You happened to stumble on one of the things we are actively exploring but have not yet made any commitments to yet. Rest assured if/when we make it available we would announce it properly 🙂 

View solution in original post

4 Replies

I am beginning to believe that Spotify's oidc is not properly set up even beyond the CORS issue.

  1. To move past the CORS issue of requesting the openid-configuration, I launched chrome without CORS.
  2. After successfully receiving the openid-configuration, my app continues the oidc process by calling the "authorization-endpoint" specified in the openid-configuration ("authorization_endpoint":"https://accounts.spotify.com/oauth2/v2/auth")

    The following query parameters are passed to it:
    client_id: <my-client-id-from-the-dev-portal>
    redirect_uri: https://localhost:5001/authentication/login-callback
    response_type: code
    scope: openid profile
    state: 756088e053494fa28d4d058f1aca26ef
    code_challenge: hkTTWHFfE8xHMwrNAlXjTK2T_Nk85qgMNGtyGn7FrDI
    code_challenge_method: S256
    response_mode: query


  3. Spotify responds with a 200 to my provided redirect-uri, but has an error of "invalid_scope". This occurs any time the scopes of email, openid, and/or profile are included despite Spotify's openid-configuration indicating those 3 scopes are supported.

Hi there

 

Apologies for the long response time. 

 

OpenID Connect is not supported, you will have to use OAuth. You can find all the information about what is supported here: https://developer.spotify.com/documentation/general/guides/authorization-guide/

Thanks for the response. I'm confused though. If OpenID Connect is not supported, then why is the endpoint for it available (https://accounts.spotify.com/.well-known/openid-configuration)? Are there plans to support OpenID Connect since it is a common layer on top of OAuth2?
Marked as solution

We experiment and explore many different things, some make it into production, some don't. You happened to stumble on one of the things we are actively exploring but have not yet made any commitments to yet. Rest assured if/when we make it available we would announce it properly 🙂 

Suggested posts