Reputation: 115
Spotify: Permanent auth with authorization code workflow
i am building a prototype to prove deriving user playlist etc. from Spotify. As this is user information, i've to use Spotify's authorization code workflow (refer https://developer.spotify.com/web-api/authorization-guide/#authorization_code_flow)
In this workflow, an application requests user to grant scoped privileges so relevant information can be pulled out. In the series of calls that follow:
call to /authorize calls back a redirect_uri sent in request and sends in a code e.g. redirect_uri=../abc receives ../abc/callback?code=xyz
as is exemplified in docs.
xyz is then sent over to /api/token to get access_token and refresh_token
Is there any way one can avoid to repeatedly invoke /authorize after once the grant has been given by user?
In-effect, can i not treat the code (from /authorize) like an oauth token and preserve it (say in database) to get a new access_token every time i need one? (as a direct comparison check facebook's oauth token that can be saved and reused to authenticate every next time)
How can i remember a user has already granted me access to his/her Spotify profile and data?
Please indicate if i am missing something obvious from documentation. please point me right if this has been specified elsewhere.
many thanks!
Upvotes: 1
Views: 4723
Answers (1)
Reputation: 3279
For this use case you can use the Authorization Code flow. What you should persist is the refresh_token it returns, which can be used to obtain access tokens. You can also optionally persist the access token, that you can use during one hour, so you don't need to obtain a new access token every time.
There is a FAQ in the Authorization Guide that talks about a similar scenario, where a user would want to manage her playlists without having to go through the login process every time:
You basically need an access token and a refresh token issued for your user account. For obtaining a pair of access token / refresh token you need to follow the Authorization Code Flow (if you need a certain scope to be approved) or Client Credentials (if you just need to sign your request, like when fetching a certain playlist). Once you obtain them, you can use your access token and refresh it when it expires without having to show any login form.
Upvotes: 1
Related Questions
- Spotify authorization code (not access token) is expiring - how can I circumvent this?
- Spotify API (Obtaining Authorization Code) using Python
- Spotify Client Credentials Flow using Python
- Authorizing with Spotify API
- Spotify long term login with Android SDK
- Spotify Authentication in javascript?
- How do I access Spotify API with new authorization requirements?
- Completing Spotify Authorization Code Flow via desktop application without using browser
- How to get a long term OAuth Token for New release