Authorization Code Flow. Have your application request authorization; the user logs in and authorizes access. Your application sends a request to the Spotify Accounts service. The reason your application sends this request may vary: A step in the initialization of your application. A response to a user action, like a button click. Spotify’s API has great documentation, and in there. They describe the 3 types of authorisation flows you can go through to use their API. The one we’ll be using today is the authorisation code. Our application flow should be: The Xamarin app redirect to the spotify oauth page. If the authentication succeed, it gets the authorization code. The Xamarin app send the authorization code to the server. The server ask for an accesstoken and refreshtoken to spotify in exchange of the authorization code. Authorization Code Flow Here is the workflow for working with this server in your front-end application. This authorization flow requires the user to grant permission for your app to use their credentials to obtain an access token and refresh token and make calls to the Spotify API on their behalf. More information on this flow can be found here. Here are a few more examples of using Spotipy, this time using the Authorization Code Flow to access your personal Spotify account data. Add tracks to a playlist: import sys import spotipy import spotipy.util as util if len ( sys. Argv ) 3: username = sys. Argv 1 playlistid = sys. Argv 2 trackids = sys. Argv 3: else: print.
You can enable other users to authorize your OAuth App.
All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.
Make a contributionOr, learn how to contribute.
GitHub's OAuth implementation supports the standard authorization code grant type and the OAuth 2.0 Device Authorization Grant for apps that don't have access to a web browser.
If you want to skip authorizing your app in the standard way, such as when testing your app, you can use the non-web application flow.
To authorize your OAuth app, consider which authorization flow best fits your app.
Note: If you are building a GitHub App, you can still use the OAuth web application flow, but the setup has some important differences. See 'Identifying and authorizing users for GitHub Apps' for more information.
The web application flow to authorize users for your app is:
When your GitHub App specifies a login parameter, it prompts users with a specific account they can use for signing in and authorizing your app.
| Name | Type | Description |
|---|---|---|
client_id | string | Required. The client ID you received from GitHub when you registered. |
redirect_uri | string | The URL in your application where users will be sent after authorization. See details below about redirect urls. |
login | string | Suggests a specific account to use for signing in and authorizing the app. |
scope | string | A space-delimited list of scopes. If not provided, scope defaults to an empty list for users that have not authorized any scopes for the application. For users who have authorized scopes for the application, the user won't be shown the OAuth authorization page with the list of scopes. Instead, this step of the flow will automatically complete with the set of scopes the user has authorized for the application. For example, if a user has already performed the web flow twice and has authorized one token with user scope and another token with repo scope, a third web flow that does not provide a scope will receive a token with user and repo scope. |
state | string | An unguessable random string. It is used to protect against cross-site request forgery attacks. |
allow_signup | string | Whether or not unauthenticated users will be offered an option to sign up for GitHub during the OAuth flow. The default is true. Use false when a policy prohibits signups. |
If the user accepts your request, GitHub redirects back to your site with a temporary code in a code parameter as well as the state you provided in the previous step in a state parameter. The temporary code will expire after 10 minutes. If the states don't match, then a third party created the request, and you should abort the process.
Exchange this code for an access token:
| Name | Type | Description |
|---|---|---|
client_id | string | Required. The client ID you received from GitHub for your GitHub App. |
client_secret | string | Required. The client secret you received from GitHub for your GitHub App. |
code | string | Required. The code you received as a response to Step 1. |
redirect_uri | string | The URL in your application where users are sent after authorization. |
state | string | The unguessable random string you provided in Step 1. |
By default, the response takes the following form:
You can also receive the content in different formats depending on the Acceptheader:
The access token allows you to make requests to the API on a behalf of a user.
For example, in curl you can set the Authorization header like this:
Transfer spotify playlist to apple music on mac. Note: The device flow is in public beta and subject to change. To enable this beta feature, see 'Activating beta features for apps.'
The device flow allows you to authorize users for a headless app, such as a CLI tool or Git credential manager.
https://github.com/login/device.Your app must request a user verification code and verification URL that the app will use to prompt the user to authenticate in the next step. This request also returns a device verification code that the app must use to receive an access token and check the status of user authentication.
| Name | Type | Description |
|---|---|---|
client_id | string | Required. The client ID you received from GitHub for your app. |
scope | string | The scope that your app is requesting access to. |
| Name | Type | Description |
|---|---|---|
device_code | string | The device verification code is 40 characters and used to verify the device. |
user_code | string | The user verification code is displayed on the device so the user can enter the code in a browser. This code is 8 characters with a hyphen in the middle. |
verification_uri | string | The verification URL where users need to enter the user_code: https://github.com/login/device. |
expires_in | integer | The number of seconds before the device_code and user_code expire. The default is 900 seconds or 15 minutes. |
interval | integer | The minimum number of seconds that must pass before you can make a new access token request (POST https://github.com/login/oauth/access_token) to complete the device authorization. For example, if the interval is 5, then you cannot make a new request until 5 seconds pass. If you make more than one request over 5 seconds, then you will hit the rate limit and receive a slow_down error. |
Your device will show the user verification code and prompt the user to enter the code at https://github.com/login/device.
Your app will make device authorization requests that poll POST https://github.com/login/oauth/access_token, until the device and user codes expire or the user has successfully authorized the app with a valid user code. The app must use the minimum polling interval retrieved in step 1 to avoid rate limit errors. For more information, see 'Rate limits for the device flow.'
Apple watch spotify app stream. The user must enter a valid code within 15 minutes (or 900 seconds). After 15 minutes, you will need to request a new device authorization code with POST https://github.com/login/device/code.
Once the user has authorized, the app will receive an access token that can be used to make requests to the API on behalf of a user.
| Name | Type | Description |
|---|---|---|
client_id | string | Required. The client ID you received from GitHub for your OAuth App. |
device_code | string | Required. The device verification code you received from the POST https://github.com/login/device/code request. |
grant_type | string | Required. The grant type must be urn:ietf:params:oauth:grant-type:device_code. |
When a user submits the verification code on the browser, there is a there is a rate limit of 50 submissions in an hour per application.
If you make more than one access token request (POST https://github.com/login/oauth/access_token) within the required minimum timeframe between requests (or interval), you'll hit the rate limit and receive a slow_down error response. The slow_down error response adds 5 seconds to the last interval. For more information, see the Errors for the device flow.
| Error code | Description |
|---|---|
authorization_pending | This error occurs when the authorization request is pending and the user hasn't entered the user code yet. The app is expected to keep polling the POST https://github.com/login/oauth/access_token request without exceeding the interval, which requires a minimum number of seconds between each request. |
slow_down | When you receive the slow_down error, 5 extra seconds are added to the minimum interval or timeframe required between your requests using POST https://github.com/login/oauth/access_token. For example, if the starting interval required at least 5 seconds between requests and you get a slow_down error response, you must now wait a minimum of 10 seconds before making a new request for an OAuth access token. The error response includes the new interval that you must use. |
expired_token | If the device code expired, then you will see the token_expired error. You must make a new request for a device code. |
unsupported_grant_type | The grant type must be urn:ietf:params:oauth:grant-type:device_code and included as an input parameter when you poll the OAuth token request POST https://github.com/login/oauth/access_token. |
incorrect_client_credentials | For the device flow, you must pass your app's client ID, which you can find on your app settings page. The client_secret is not needed for the device flow. |
incorrect_device_code | The device_code provided is not valid. |
access_denied | When a user clicks cancel during the authorization process, you'll receive a access_denied error and the user won't be able to use the verification code again. |
For more information, see the 'OAuth 2.0 Device Authorization Grant.'
Non-web authentication is available for limited situations like testing. If you need to, you can use Basic Authentication to create a personal access token using your Personal access tokens settings page. This technique enables the user to revoke access at any time.
Note: When using the non-web application flow to create an OAuth2 token, make sure to understand how to work withtwo-factor authentication ifyou or your users have two-factor authentication enabled.
The redirect_uri parameter is optional. If left out, GitHub willredirect users to the callback URL configured in the OAuth Applicationsettings. If provided, the redirect URL's host and port must exactlymatch the callback URL. The redirect URL's path must reference asubdirectory of the callback URL.
The optional redirect_uri parameter can also be used for localhost URLs. If the application specifies a localhost URL and a port, then after authorizing the application users will be redirected to the provided URL and port. The redirect_uri does not need to match the port specified in the callback url for the app.
For the http://localhost/path callback URL, you can use this redirect_uri:
You can create multiple tokens for a user/application/scope combination to create tokens for specific use cases.
This is useful if your OAuth App supports one workflow that uses GitHub for sign-in and only requires basic user information. Another workflow may require access to a user's private repositories. Using multiple tokens, your OAuth App can perform the web flow for each use case, requesting only the scopes needed. If a user only uses your application to sign in, they are never required to grant your OAuth App access to their private repositories.
There is a limit to the number of tokens that are issued per user/application/scope combination. If your application requests enough tokens to go over one of the limits, older tokens with the same scope being requested will stop working.
Warning: Revoking all permission from an OAuth App deletes any SSH keys the application generated on behalf of the user, including deploy keys.
You can link to authorization information for an OAuth App so that users can review and revoke their application authorizations.
To build this link, you'll need your OAuth Apps client_id that you received from GitHub when you registered the application.
Tip: To learn more about the resources that your OAuth App can access for a user, see 'Discovering resources for a user.'
'Troubleshooting authorization request errors'
'Troubleshooting OAuth App access token request errors'
'Device flow errors'
Curious about the possibility of displaying Spotify playlists on my website, I investigated the Spotify Web API. Initially, I thought everything seemed quite easy, but then I got to the authentication and authorization section. As it turned out, it is not that simple but after trial and error, I got what I wanted. Here’s what I did.
The result can be found here. Here’s what it looks like:
In order to get this result, we need to call two different endpoints in the Web API:
There are two placeholders in this URL that need to be replaced by the user ID you want to query and the playlist ID you want to see. You cannot just navigate to the Web API Uri in your web browser: you will get a 401 error message. To authenticate, you need to pass additional information in the request header. This is where it becomes tricky. As the Spotify Web API’s documentation states, there are a couple of authorization flows to access private user data. In this case for the playlists, the Client Credentials flow is sufficient. The code samples below will use this approach. First of all, you need to have your own Spotify App. This app will generate a client ID and secret for you. You will need this in a minute. The following code will retrieve an access token for your application.
Two clarifications need to be made:
Take the Client Id and Client secret of your application, we need to encode this first – this site will help you out. Paste the client id and secret in the following format: ClientId:ClientSecret. Copy the encoded result and replace this by the text marked in blue.
Now you have enough information to do the actual web request. This siteis a good tool to do web requests. Let’s take the first Web API endpoint, don’t forget to add a request header with the value you just generated. Do the request and you will retrieve JSON data if all went well. Although not strictly necessary, I thought it was interesting to generate classes of the JSON data. There are a few good free toolsavailable that generate C# classes out of JSON data.Then we can use these set of classes to deserialize the retrieved JSON data from the Web API in the C# code. For this endpoint, the class structure is fairly easy:
Once the serialization is done, we can get the access token. Once we have this token, we can retrieve information from my Spotify user data. Continue reading in the second part of this series.