Announcements

Help Wizard

Step 1

NEXT STEP

FAQs

Please see below the most popular frequently asked questions.

Loading article...

Loading faqs...

VIEW ALL

Ongoing Issues

Please see below the current ongoing issues which are under investigation.

Loading issue...

Loading ongoing issues...

VIEW ALL

Refreshing the access token PKCE Flow

Refreshing the access token PKCE Flow

Avatar of Ulrick1432
Casual Listener
2023-08-17 09:10 PM

Country

Denmark (DK)

Device

Desktop

Operating System

Windows 10

 

My Question or Issue

I am trying to do a post request for a new access token / refresh the access token with this JS code:

 

const refreshAccessToken = async () => {
  const refreshToken = localStorage.getItem('refresh_token');
  try {

    const body = new URLSearchParams({
      grant_type: 'refresh_token',
      refresh_token: refreshToken,
      client_id: clientId,
      client_secret: client_Secret
    }).toString();
    const response = await fetch('https://accounts.spotify.com/api/token', {
      method: 'POST',
      headers: {
        'Content-Type': 'application/x-www-form-urlencoded'
      },
      body: body
    });

      if (!response.ok) {
        throw new Error('HTTP status ' + response.status);
      }

      const data = await response.json();
      localStorage.setItem('access_token', data.access_token);
  } catch (error) {
    console.error('Error refreshing access token:', error);
  }
};

but im getting this Error: HTTP status 400 so something in this part of the code must be wrong: 

const body = new URLSearchParams({
      grant_type: 'refresh_token',
      refresh_token: refreshToken,
      client_id: clientId,
      client_secret: client_Secret
    }).toString();
    const response = await fetch('https://accounts.spotify.com/api/token', {
      method: 'POST',
      headers: {
        'Content-Type': 'application/x-www-form-urlencoded'
      },
      body: body
    });
 
can't find the problem... 
i appreciate the help! 
 
Labels:
Reply
4 Replies

Avatar of Prague
Community Legend
2023-08-31 02:22 AM

Howldy Ulrick1432! 
It looks like you're on the right track, but there might be an issue with the parameters you're sending in your POST request. Double-check that your `refreshToken`, `clientId`, and `client_Secret` values are correct and not empty. Also, ensure that the `Content-Type` header is set correctly as `'application/x-www-form-urlencoded'`. If all the values are accurate and you’re still encountering issues, let me know and we’ll work this out.

Not to be hounding you.. but keep me in the loop!

 

-Prague the Dog

0 Likes

Avatar of henrynguyen7
Music Fan
2024-08-13 08:39 PM

Hi Prague,

 

It seems like in the example above as well as in your response, the client_secret is required. However, my understanding is that for the PKCE flow, the client_secret should not be required, especially since the PKCE flow was designed for applications that can't be trusted with client secrets such as in-browser SPAs. The Spotify documentation page would seem to corroborate this, as no client_secret is specified in the request requirements: https://developer.spotify.com/documentation/web-api/tutorials/refreshing-tokens.

 

However, in my testing, a request to refresh the token fails with a status 400 "invalid_request" failure if no client_secret is provided, and succeeds if a client_secret is provided. I believe this is a bug in the Spotify server's implementation of the PKCE token refresh flow, requiring a client_secret when it should not be. Can you please confirm?

 

Thanks for any help you can provide! Sorry for digging up an old thread 🙏

 

Henry

 

 

0 Likes

Avatar of LambertSpot
Spotify
Spotify
2024-08-15 02:20 PM

If you omit `client_secret` and do the request as described in the documentation, does it still fail? Because I can only see that you should send `grant_type`, `refresh_token` and `client_id` in the refresh request.

0 Likes

Avatar of henrynguyen7
Music Fan
2024-08-16 02:43 AM

Thanks for responding LambertSpot! I think I figured out that the underlying issue has to do with my use of Supabase and not with Spotify itself: https://community.spotify.com/t5/Spotify-for-Developers/Spotify-PKCE-Auth-Invalid-Client-Secret/m-p/...

 

TLDR: the bug appears to be with Supabase's initial login flow not using PKCE correctly, causing Spotify to require the client_secret later when attempting to refresh. Using a different OAuth client which correctly implements the PKCE causes Spotify to refresh the token correctly, even when no client_secret is provided.

Suggested posts

Let's introduce ourselves!

Hey there you,   Yeah, you! 😁   Welcome - we're glad you joined the Spotify Community!   While you here, let's have a fun game and get…

Staff
ModeratorStaff / Moderator/ 3 years ago in Social & Random
Read more