Announcements

CORS openid-configuration

Solved!
Go to solution

CORS openid-configuration

Avatar of jsn-dev
Casual Listener
‎2021-09-05 08:53 PM

I am trying to use OIDC for auth.

When my Blazor WASM client-app (which runs in the browser) attempts to hit https://accounts.spotify.com/.well-known/openid-configuration the response fails because of CORS. The error is:
Access to XMLHttpRequest at 'https://accounts.spotify.com/.well-known/openid-configuration' from origin 'https://localhost:5001' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

If I paste that URL into the browser, success.

Also, I am unable to find Spotify's oidc documentation

Labels:
1 person had this problem.
Reply

Accepted Solutions
Marked as solution

Avatar of ohej
Spotify
Spotify
‎2021-10-07 01:38 PM

We experiment and explore many different things, some make it into production, some don't. You happened to stumble on one of the things we are actively exploring but have not yet made any commitments to yet. Rest assured if/when we make it available we would announce it properly 🙂 

View solution in original post

0 Likes
4 Replies

Avatar of jsn-dev
Casual Listener
‎2021-09-11 10:41 PM

I am beginning to believe that Spotify's oidc is not properly set up even beyond the CORS issue.

  1. To move past the CORS issue of requesting the openid-configuration, I launched chrome without CORS.
  2. After successfully receiving the openid-configuration, my app continues the oidc process by calling the "authorization-endpoint" specified in the openid-configuration ("authorization_endpoint":"https://accounts.spotify.com/oauth2/v2/auth")

    The following query parameters are passed to it:
    client_id: <my-client-id-from-the-dev-portal>
    redirect_uri: https://localhost:5001/authentication/login-callback
    response_type: code
    scope: openid profile
    state: 756088e053494fa28d4d058f1aca26ef
    code_challenge: hkTTWHFfE8xHMwrNAlXjTK2T_Nk85qgMNGtyGn7FrDI
    code_challenge_method: S256
    response_mode: query


  3. Spotify responds with a 200 to my provided redirect-uri, but has an error of "invalid_scope". This occurs any time the scopes of email, openid, and/or profile are included despite Spotify's openid-configuration indicating those 3 scopes are supported.
0 Likes

Avatar of ohej
Spotify
Spotify
‎2021-10-06 08:15 AM

Hi there

 

Apologies for the long response time. 

 

OpenID Connect is not supported, you will have to use OAuth. You can find all the information about what is supported here: https://developer.spotify.com/documentation/general/guides/authorization-guide/

0 Likes

Avatar of jsn-dev
Casual Listener
‎2021-10-07 01:35 PM
Thanks for the response. I'm confused though. If OpenID Connect is not supported, then why is the endpoint for it available (https://accounts.spotify.com/.well-known/openid-configuration)? Are there plans to support OpenID Connect since it is a common layer on top of OAuth2?
0 Likes
Marked as solution

Avatar of ohej
Spotify
Spotify
‎2021-10-07 01:38 PM

We experiment and explore many different things, some make it into production, some don't. You happened to stumble on one of the things we are actively exploring but have not yet made any commitments to yet. Rest assured if/when we make it available we would announce it properly 🙂 

0 Likes

Suggested posts

Let's introduce ourselves!

Hey there you,   Yeah, you! 😁   Welcome - we're glad you joined the Spotify Community!   While you here, let's have a fun game…

Staff
ModeratorStaff / Moderator/ 1 year ago in Social & Random
Read more