Announcements

Help Wizard

Step 1

NEXT STEP

FAQs

Please see below the most popular frequently asked questions.

Loading article...

Loading faqs...

VIEW ALL

Ongoing Issues

Please see below the current ongoing issues which are under investigation.

Loading issue...

Loading ongoing issues...

VIEW ALL

Refreshing access token does not reuturn new refresh token

Solved!

Refreshing access token does not reuturn new refresh token

The documentations states that the following request should return a new refresh token:

 

Sample cURL request

curl -H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=refresh_token' \
-d 'refresh_token=bOP-ycJHioNwO9QNqCpaREE4jInOjigq7hESRu3NFOa_XWy5tRLPWtacerPcLRTT3ad_Lsyba3fqidxUnbQZ6s1wIge' \
-d 'client_id=78ddd16c16e43884672d93a4a299bd0a59878fc3' https://accounts.spotify.com/api/token

Sample response

{
    "access_token": "9Cysa896KySJLrEcasloD1Gufy9iSq7Wa-K2SbSKwK3rXfizi4GwIS2RCrBmCMsKfkTDm82ez9m47WZ8egFCuRPs4BgEHw",
    "token_type": "Bearer",
    "expires_in": 3600,
    "refresh_token": "PoO04alC_uRJoyd2MLhN53hHv2-sDAJs5mULPPzLW0lgdXXAvZAWEJrBqqd6NfCE4FZo7TcuKXp4grmE-9fKyMaP6zl6g",
    "scope": "user-follow-modify"
}

 

But when I do the exact same request with my app credentials the response misses the refresh_token? Is this the intended way or is this a bug?

Link to the referred documentation page:
https://developer.spotify.com/documentation/general/guides/authorization-guide/

Reply

Accepted Solutions
Marked as solution

Which authorization process are you using? The authorization code flow, or the authorization code flow with proof key for code exchange?

View solution in original post

14 Replies
Marked as solution

Which authorization process are you using? The authorization code flow, or the authorization code flow with proof key for code exchange?

I indeed was looking at the wrong authentication system. Everything works as expected. But just to be clear. I am using the standard auth flow. Can I use the refresh token I originally obtained over and over again?

I don't know what the "standard auth flow" is. Spotify has the following authorization flows:

 

* Authorization Code Flow
* Authorization Code Flow With Proof Key for Code Exchange (PKCE)
* Implicit Grant
* Client Credentials Flow

 

I can't answer your questions until you tell me which authorization flow you're using. 

@DeineMudda753 What did you do to fix this ? Because I make the same request and I recieve the new access token but not the new refresh token

What did you do exactly because it is the same I don't get the new refresh token and I am using the Authorization Code Flow

You usually don't get a new refresh token when refreshing the access token using the authorization code flow. You just reuse the same refresh token every time you need to refresh the access token.

I use the "Authorization Code Flow" @ page Authorization Code Flow | Spotify for Developers which says you get a refresh_token back from a call to https://accounts.spotify.com/api/token.  I'm not getting back a refresh token, only getting a redirecturl and code back. Maybe some mis-understanding still. I think you said we don't need it, just stick with and use the returned code, but used the term refresh token which the OP or I aren't getting in the first place. The docs lead you to believe you do need a returned refresh token.

 

I'm here in on this now because I'm trying to find the correct way to prevent a user from having to log in on every new session using my app.

Please read the authorization guide very carefully. It's very clear about which parameters are required for each request, as well as the expected response.

 

I don't believe you that you received the redirect uri and code from the "https://accounts.spotify.com/api/token" endpoint. Please check your code again. The "https://accounts.spotify.com/authorize" endpoint redirects to your redirect uri with the code parameter in the query string.

Turns out I have been or are now getting back a refresh token and my json class may have had a deserializing issue. I added a json accept to the header. Don't know if that was a difference maker.


"\"access_token\":\"omitted\",\"token_type\":\"Bearer\",\"expires_in\":3600,\"refresh_token\":\"omitted\",\"scope\":\"playlist-read-private streaming playlist-read-collaborative user-modify-playback-state user-library-read playlist-modify-private playlist-modify-public user-read-playback-state\"}"

Hi there, I'm using Authorization Code Flow

and I've got the same issue.

I'm wondering if is it still the same?

Same here. Still happens, code flow here as well.

@ØyvindSelbek

By now I worked it out by using the refresh_token

returned by login as suggested by

 

 

Peter_Schorn

@ØyvindSelbek wrote:

Same here. Still happens, code flow here as well.




 
 
You usually don't get a new refresh token when refreshing the access token using the authorization code flow. You just reuse the same refresh token every time you need to refresh the access token. and till now it works

Yeah, thats my method as well, but its not really "the way" 🙂

It is "the way". Your code should always check to see if you get a new refresh token, but, if you don't, you keep reusing the one you originally received. Notice that in the documentation for Request a refreshed Access Token, it says:

 

The response will be similar to this:

 

{
   "access_token": "NgA6ZcYI...ixn8bUQ",
   "token_type": "Bearer",
   "scope": "user-read-private user-read-email",
   "expires_in": 3600
}​​

 

Notice there is no refresh token in this JSON payload.

Suggested posts