Announcements
The Spotify Stars Program: Celebrating Values Week!

Help Wizard

Step 1

NEXT STEP

Using PKCE authorization flow, does the client ID and redirect URL need to be kept secret?

Using PKCE authorization flow, does the client ID and redirect URL need to be kept secret?

I am creating an open-source command-line tool that will be using Spotify API. For authorization flow I am using the PKCE flow with a client ID and a redirect URL. My understanding is that when I distribute my tool, both the client ID and the redirect URL must be somewhere in its source code so the users of the tool would be able to authenticate. However, putting both into the source code makes them public. Given that for PKCE authorization the client secret is not required, is there anything that would stop someone else from using my client ID and redirect URL in a completely different setting (another app etc.)?

Reply
6 Replies

If their isn't a localhost address in the Dashboard of your app or the redirect url isn't a localhost address, others can't use your client id for other uses.

Also, users can see the redirect url and client id in the URL bar while logging in anyway.

It seems like even if the redirect URL is not localhost, as long as it is public (and it will always be public because it is exposed in the login URL as a parameter), it can be used by anyone together with the client ID (which is also public). The redirect URL does not even need to be a "real" URL (i.e. it does not need to respond to requests) - its only purpose is to exist in Spotify app's dashboard for Spotify to try to redirect to it with a `code` query parameter.

I can't quite wrap my head around the security aspect of the PKCE flow. What am I missing?

If you try to use a Client ID with another Redirect URI, you will see "INVALID_CLIENT: Invalid redirect URI" instead a log-in page.

Of course, but because both the client ID and the redirect URL is visible to everyone, someone could them both in a completely different application, right? If so, then I don't understand how PKCE flow is helping by not requiring the client secret.

No, because the log-in page redirects to the app it supposed to redirect to.

Suggested posts