This idea requests the enablement of the Device Authorization Grant authentication flow, which Spotify already uses for its TV applications, for custom applications that we can register via the Developer Dashboard.

I would like to create a headless device that can remote control Spotify via the Player API.

To access that API, I need the device to be authenticated, which is cumbersome via the supported options that Spotify offers, because all options require the user to use a login form with a redirect URL.

The Device Authorization Grant flow is a great way for headless devices to offer authentication while the user can use their own browser to approve the login request.

Spotify has even built this already for its TV applications!

Spotify Pair page (courtesy of https://pragmaticwebsecurity.com/articles/oauthoidc/device-flow.html)

(image courtesy of https://pragmaticwebsecurity.com/articles/oauthoidc/device-flow.html)

The steps are:

1. the device can request a code to present to the user via https://accounts.spotify.com/oauth2/device/authorize using
   • the application's client_id
   • the desired scope
2. the user can fill out this code on https://spotify.com/pair and approve login
3. the device then fetches the token from https://accounts.spotify.com/api/token using
   • grant_type = urn:ietf:params:oauth:grant-type:device_code
   • device_code from response to the earlier authorize request
   • the application's client_id

With the client_id of a TV application, it is possible to obtain a valid token this way. Unfortunately, this does not work for custom client_id's as it seems your application needs to be allowlisted to use this flow.

Therefore, this request is to enable this flow for custom applications requested from the Developer Dashboard.

Alternatives considered:

- the Zeroconf login flow is also not supported, and seems more cumbersome than the Device Authorization Grant authentication flow.