Errors in authorization code flow documentation for refreshing token?

Errors in authorization code flow documentation for refreshing token?

According to the authorization code flow documentation, in order to use a refresh token to receive a new access token we need to POST a request to https://accounts.spotify.com/api/token with the following fields in the x-www-form-urlencoded body:

 

  • grant_type
  • refresh_token

And send an HTTP basic authorization header with the base64 "client_id:client_secret" value. That all translate into something like:

 

curl https://accounts.spotify.com/api/token \
-d 'grant_type=refresh_token' \
-d 'refresh_token=...' \
-H "Authorization: Basic $(echo -n "$client_id:$client_secret"|base64 -w0)"

 

..but this doesn't appear to work. Following the suggestion of some random person on github, I am able to successfully request a new access token if I get rid of the authorization header and include in the request body:

 

  • grant_type
  • refresh_token
  • client_id
  • client_secret

That is:

curl https://accounts.spotify.com/api/token \
-d 'grant_type=refresh_token' \
-d 'refresh_token=...' \
-d "client_id=$client_id" \
-d "client_secret=$client_secret"

 

Is the documentation incorrect? Am I just lucky that the second form of the request works, even though it's not documented?  Thanks!

Reply
0 Replies

Suggested posts