Announcements

Help Wizard

Step 1

NEXT STEP

Using PKCE authorization flow, does the client ID and redirect URL need to be kept secret?

Using PKCE authorization flow, does the client ID and redirect URL need to be kept secret?

Avatar of Ch00ki
Casual Listener
‎2023-02-14 03:50 PM

I am creating an open-source command-line tool that will be using Spotify API. For authorization flow I am using the PKCE flow with a client ID and a redirect URL. My understanding is that when I distribute my tool, both the client ID and the redirect URL must be somewhere in its source code so the users of the tool would be able to authenticate. However, putting both into the source code makes them public. Given that for PKCE authorization the client secret is not required, is there anything that would stop someone else from using my client ID and redirect URL in a completely different setting (another app etc.)?

Labels:
0 Likes
Reply
6 Replies

Avatar of Ximzend
Roadie
‎2023-02-14 04:20 PM

If their isn't a localhost address in the Dashboard of your app or the redirect url isn't a localhost address, others can't use your client id for other uses.

0 Likes

Avatar of Ximzend
Roadie
‎2023-02-14 04:41 PM

Also, users can see the redirect url and client id in the URL bar while logging in anyway.

0 Likes

Avatar of Ch00ki
Casual Listener
‎2023-02-15 07:45 AM

It seems like even if the redirect URL is not localhost, as long as it is public (and it will always be public because it is exposed in the login URL as a parameter), it can be used by anyone together with the client ID (which is also public). The redirect URL does not even need to be a "real" URL (i.e. it does not need to respond to requests) - its only purpose is to exist in Spotify app's dashboard for Spotify to try to redirect to it with a `code` query parameter.

I can't quite wrap my head around the security aspect of the PKCE flow. What am I missing?

0 Likes

Avatar of Ximzend
Roadie
‎2023-02-15 09:36 AM

If you try to use a Client ID with another Redirect URI, you will see "INVALID_CLIENT: Invalid redirect URI" instead a log-in page.

0 Likes

Avatar of Ch00ki
Casual Listener
‎2023-02-15 09:40 AM

Of course, but because both the client ID and the redirect URL is visible to everyone, someone could them both in a completely different application, right? If so, then I don't understand how PKCE flow is helping by not requiring the client secret.

0 Likes

Avatar of Ximzend
Roadie
‎2023-02-15 10:10 AM

No, because the log-in page redirects to the app it supposed to redirect to.

0 Likes

Suggested posts

Let's introduce ourselves!

Hey there you,   Yeah, you! 😁   Welcome - we're glad you joined the Spotify Community!   While you here, let's have a fun game…

Staff
ModeratorStaff / Moderator/ 1 year ago in Social & Random
Read more