Spotify's Auth Server not OAuth/OIDC spec complian...

TylerLeonhardt · 2025-07-20

I was looking at Spotify's authorization implementation for the API and I'm not sure it's following the OAuth/OIDC spec which makes it hard to work with.

Take a look at the OIDC config:

https://accounts.spotify.com/.well-known/openid-configuration

{"issuer":"https://accounts.spotify.com","authorization_endpoint":"https://accounts.spotify.com/oauth2/v2/auth","token_endpoint":"https://accounts.spotify.com/api/token","userinfo_endpoint":"https://accounts.spotify.com/oidc/userinfo/v1","revocation_endpoint":"https://accounts.spotify.com/oauth2/revoke/v1","scopes_supported":["email","openid","profile"],"jwks_uri":"https://accounts.spotify.com/oidc/certs/v1","response_types_supported":["code","none"],"response_modes_supported":["query"],"code_challenge_methods_supported":["S256"],"grant_types_supported":["authorization_code","refresh_token","urn:ietf:params:oauth:grant-type:device_code","urn:ietf:params:oauth:grant-type:jwt-bearer"],"acr_values_supported":["urn:spotify:sso:acr:legacy","urn:spotify:sso:acr:bronze:v1","urn:spotify:sso:acr:silver:v1","urn:spotify:sso:acr:artist:2fa"],"subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"claims_supported":["aud","email","email_verified","exp","iat","iss","name","picture","preferred_username","sub"],"token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post"],"ui_locales_supported":["af-ZA","am-ET","ar","az-AZ","bg-BG","bn-IN","bp","cs","da-DK","de","el","en","es","es-ES","et-EE","fa-IR","fi","tl","fr","fr-CA","gu-IN","he-IL","hi-IN","hr-HR","hu","id","is-IS","it","ja","kn-IN","ko","lv-LV","lt-LT","ml-IN","mr-IN","ms","nb-NO","ne-NP","nl","or-IN","pa-IN","pa-PK","pl","pt-BR","pt-PT","ro-RO","ru","sk-SK","sl-SI","sr-RS","sv","sw","ta-IN","te-IN","th-TH","tr","uk-UA","ur","vi-VN","zh-CN","zh-TW","zu-ZA"]}

1. There are scopes supported (email, openid, profile) but when I try using these scopes, it says Invalid Scope...

2. If I use an access token with the userinfo_endpoint, it returns a 403. No matter what scopes (that actually work) I use, I always get 403.

3. There's no id_token in the response that I can crack open

4. the access token doesn't seem to be a JWT so I can't crack it open

I'm trying to use OAuth/OIDC spec constructs to get the user's username... and I need a solution in-spec since I am not working with only Spotify, I'm trying to support all providers dynamically.

So... what gives? How come Spotify's authorization server doesn't seem to be a valid implementation of an OAuth/OIDC server?

Ximzend · 2025-07-20

Hi @TylerLeonhardt

To work with the Spotify API, you should implements the OAuth 2.0 authorization framework, specified on this page.

XimzendSpotify Star

Help others find this answer and click "Accept as Solution".

If you appreciate my answer, maybe give me a Like.

Note: I'm not a Spotify employee.

TylerLeonhardt · 2025-07-24

Hi Ximzend, thanks for the link. I've looked through that already and there was no spec compliant way to get a username... and worse, the current design is actually breaking the spec for example by advertising scopes that are not allowed.

Ximzend · 2025-07-24

Hi @TylerLeonhardt

You can get the username of a user, after they have logged in, with Get Current User's Profile.

Also, here is a separate reference page for Ads API.

Let me know if this answers your question.

XimzendSpotify Star

Help others find this answer and click "Accept as Solution".

If you appreciate my answer, maybe give me a Like.

Note: I'm not a Spotify employee.

TylerLeonhardt · 2025-07-31

Thanks for responding, but I need an OAuth/OIDC compliant way to get the username and that endpoint is unique to Spotify.

Help categories

Account & Payment

Using Spotify

Listen Everywhere