Why am I getting a new refresh_token when I request a refreshed access token?

Why am I getting a new refresh_token when I request a refreshed access token?

4ek-_v682hnvb

I am use the authorization code flow for authentication with my app. When my access_token is about to expire and I request a new one using my refresh_token, Spotify does the request but also provides me a new refresh_token and invalidates my previous one.

 

I am following the flow described here: https://developer.spotify.com/documentation/general/guides/authorization-guide/#authorization-code-f...

Step 4 indicates that the response will be the following: 

{
   "access_token": "NgA6ZcYI...ixn8bUQ",
   "token_type": "Bearer",
   "scope": "user-read-private user-read-email",
   "expires_in": 3600
}

However, I get the following response: 

 

 

 

 

{ access_token:"BQA...GWU",
  token_type: 'Bearer',
  expires_in: 3600,
  refresh_token:"AQCQl...4Ke2KPQ",
  scope:
   'playlist-read-private playlist-read-collaborative user-follow-read playlist-modify-private user-read-email user-read-private app-remote-control user-follow-modify user-modify-playback-state user-library-read user-library-modify playlist-modify-public user-read-playback-state user-read-currently-playing user-read-recently-played user-top-read' }

 

 

 

Note the "refresh_token" in the response. 

Reply
2 Replies

itscolinmurphy

Interesting, what language are you using? I am also having issues with my tokens in Swift, but I can't even get a return :/... When using the cURL command I can get a proper refresh token, but not when I request in Swift. (I am fairly new to using API's so my code might just be poor)

tintin10q

Honestly, I think they implemented this incorrectly and didn't understand the protocol. The whole point of oauth2 is that the refresh token is only revoked if the user removes access from the app. With spotify you do this here: https://www.spotify.com/us/account/apps/

 

It is really weird that you new refresh tokens every time. If someone would intercept the refresh token they could in theory use it for a long time! 

Suggested posts