Type in your question below and we'll check to see what answers we can find...
If you couldn't find any answers in the previous step then we need to post your question in the community and wait for someone to respond. You'll be notified when that happens.
Simply add some detail to your question and refine the title if needed, choose the relevant category, then post.
Before we can post your question we need you to quickly make an account (or sign in if you already have one).
Don't worry - it's quick and painless! Just click below, and once you're logged in we'll bring you right back here and post your question. We'll remember what you've already typed in so you won't have to do it again.
I am creating an open-source command-line tool that will be using Spotify API. For authorization flow I am using the PKCE flow with a client ID and a redirect URL. My understanding is that when I distribute my tool, both the client ID and the redirect URL must be somewhere in its source code so the users of the tool would be able to authenticate. However, putting both into the source code makes them public. Given that for PKCE authorization the client secret is not required, is there anything that would stop someone else from using my client ID and redirect URL in a completely different setting (another app etc.)?
If their isn't a localhost address in the Dashboard of your app or the redirect url isn't a localhost address, others can't use your client id for other uses.
Also, users can see the redirect url and client id in the URL bar while logging in anyway.
It seems like even if the redirect URL is not localhost, as long as it is public (and it will always be public because it is exposed in the login URL as a parameter), it can be used by anyone together with the client ID (which is also public). The redirect URL does not even need to be a "real" URL (i.e. it does not need to respond to requests) - its only purpose is to exist in Spotify app's dashboard for Spotify to try to redirect to it with a `code` query parameter.
I can't quite wrap my head around the security aspect of the PKCE flow. What am I missing?
If you try to use a Client ID with another Redirect URI, you will see "INVALID_CLIENT: Invalid redirect URI" instead a log-in page.
Of course, but because both the client ID and the redirect URL is visible to everyone, someone could them both in a completely different application, right? If so, then I don't understand how PKCE flow is helping by not requiring the client secret.
No, because the log-in page redirects to the app it supposed to redirect to.
Hey there you, Yeah, you! 😁 Welcome - we're glad you joined the Spotify Community! While you here, let's have a fun game…