Announcements

Help Wizard

Step 1

NEXT STEP

Why am I getting a new refresh_token when I request a refreshed access token?

Why am I getting a new refresh_token when I request a refreshed access token?

Avatar of 4ek-_v682hnvb
Regular
2020-07-03 07:00 PM

I am use the authorization code flow for authentication with my app. When my access_token is about to expire and I request a new one using my refresh_token, Spotify does the request but also provides me a new refresh_token and invalidates my previous one.

 

I am following the flow described here: https://developer.spotify.com/documentation/general/guides/authorization-guide/#authorization-code-f...

Step 4 indicates that the response will be the following: 

{
   "access_token": "NgA6ZcYI...ixn8bUQ",
   "token_type": "Bearer",
   "scope": "user-read-private user-read-email",
   "expires_in": 3600
}

However, I get the following response: 

 

 

 

 

{ access_token:"BQA...GWU",
  token_type: 'Bearer',
  expires_in: 3600,
  refresh_token:"AQCQl...4Ke2KPQ",
  scope:
   'playlist-read-private playlist-read-collaborative user-follow-read playlist-modify-private user-read-email user-read-private app-remote-control user-follow-modify user-modify-playback-state user-library-read user-library-modify playlist-modify-public user-read-playback-state user-read-currently-playing user-read-recently-played user-top-read' }

 

 

 

Note the "refresh_token" in the response. 

0 Likes
Reply
3 Replies

Avatar of itscolinmurphy
Visitor
2020-07-11 01:54 AM

Interesting, what language are you using? I am also having issues with my tokens in Swift, but I can't even get a return :/... When using the cURL command I can get a proper refresh token, but not when I request in Swift. (I am fairly new to using API's so my code might just be poor)

0 Likes

Avatar of tintin10q
Regular
2021-11-22 10:41 PM

Honestly, I think they implemented this incorrectly and didn't understand the protocol. The whole point of oauth2 is that the refresh token is only revoked if the user removes access from the app. With spotify you do this here: https://www.spotify.com/us/account/apps/

 

It is really weird that you new refresh tokens every time. If someone would intercept the refresh token they could in theory use it for a long time! 

0 Likes

Avatar of deanja
Visitor
2023-10-29 08:39 AM

Old thread, but just wanted to clarify that a service can (optionally) send a new refresh token when the existing one is redeemed by a client.  See https://www.oauth.com/oauth2-servers/access-tokens/refreshing-access-tokens/

 

Any intercept risk is mitigated by the service also checking for Client Authentication.

0 Likes

Suggested posts

Let's introduce ourselves!

Hey there you,   Yeah, you! 😁   Welcome - we're glad you joined the Spotify Community!   While you here, let's have a fun game and get…

Staff
ModeratorStaff / Moderator/ 2 years ago in Social & Random
Read more