This idea requests the enablement of the Device Authorization Grant authentication flow, which Spotify already uses for its TV applications, for custom applications that we can register via the Developer Dashboard.
I would like to create a headless device that can remote control Spotify via the Player API.
To access that API, I need the device to be authenticated, which is cumbersome via the supported options that Spotify offers, because all options require the user to use a login form with a redirect URL.
The Device Authorization Grant flow is a great way for headless devices to offer authentication while the user can use their own browser to approve the login request.
Spotify has even built this already for its TV applications!
(image courtesy of https://pragmaticwebsecurity.com/articles/oauthoidc/device-flow.html)
The steps are:
With the client_id of a TV application, it is possible to obtain a valid token this way. Unfortunately, this does not work for custom client_id's as it seems your application needs to be allowlisted to use this flow.
Therefore, this request is to enable this flow for custom applications requested from the Developer Dashboard.
- the Zeroconf login flow is also not supported, and seems more cumbersome than the Device Authorization Grant authentication flow.
I would very much want this for my embedded applications! I support this!
Clarification to step 1:
The request is to allow all apps to use this flow - either by letting people enable it via the dashboard or simply by removing the restriction.
Hey @hansmbakker @thebrandon45, thanks for writing up this detailed feature request! Can you say more about the headless applications you'd like to make? What will they do?
I would like to build a Spotify Connect controller (embedded system) that can
It is not intended as a player itself, but it should control e.g. an AV receiver with Spotify Connect so that you don't need to use your phone. The NFC tags can be covered with e.g. prints of album covers.
I am adding a small OLED display to display the code that the user can enter on a pairing page like spotify.com/pair.
Examples of similar existing controllers (last one is for Sonos, but just to get the idea across):
not sure if my reply was correctly linked to your post - hope you see this one.
I also have a use case for the OAuth2.0 device flow for a voice-controlled AI assistant to control music playback on other devices. Removing the allow list restriction entirely (or at least creating a flow in the developer dashboard similar to the quota extension request) would be very helpful in enabling this.
Hey there you, Yeah, you! 😁 Welcome - we're glad you joined the Spotify Community! While you here, let's have a fun game…