starred/librespot
1
0
Fork 0
mirror of https://github.com/librespot-org/librespot.git synced 2026-04-27 00:05:55 +03:00
Code Issues 95 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #244] Todo: Reverse engineer new Facebook login flow. #168

New issue
Closed
opened 2026-02-27 19:29:11 +03:00 by kerem · 7 comments
kerem commented 2026-02-27 19:29:11 +03:00
Owner
Copy link

Originally created by @devgianlu on GitHub (Sep 4, 2018).
Original GitHub issue: https://github.com/librespot-org/librespot/issues/244

The Facebook login flow described in the docs is outdated. This is the result of visiting that endpoint:

Originally created by @devgianlu on GitHub (Sep 4, 2018). Original GitHub issue: https://github.com/librespot-org/librespot/issues/244 The Facebook login flow described in the docs is outdated. This is the result of visiting that endpoint: ![](https://user-images.githubusercontent.com/14827249/45039417-e1b84180-b063-11e8-8218-6c588ba377ee.png)
kerem 2026-02-27 19:29:11 +03:00
kerem commented 2026-02-27 19:29:12 +03:00
Author
Owner
Copy link

@sashahilton00 commented on GitHub (Nov 8, 2018):

New URL client requests in browser is: https://login2.spotify.com/login-facebook-sso/login?token=Ci0IARIpCInV-ojvLBIgjCK8h8zIv_ioJFP8FD2Nj1GpNARTIqF8Pb6WVtMLTJ0SILGE_PXbS48xP3YXkgTrY4ZfeGsq77r-F9LYsCIDiAiB
will take some further digging to work out exactly how it works, but my guess is that it opens up a websockets connection, requests a login token, then the server notifies the client once that token has an access token associated to it from the facebook auth callback. Anyone is welcome to poke around inside the Spotify client to work out what's going on, I will eventually get around to it, but it's low on the priorities list as i don't use facebook.

<!-- gh-comment-id:436851985 --> @sashahilton00 commented on GitHub (Nov 8, 2018): New URL client requests in browser is: `https://login2.spotify.com/login-facebook-sso/login?token=Ci0IARIpCInV-ojvLBIgjCK8h8zIv_ioJFP8FD2Nj1GpNARTIqF8Pb6WVtMLTJ0SILGE_PXbS48xP3YXkgTrY4ZfeGsq77r-F9LYsCIDiAiB` will take some further digging to work out exactly how it works, but my guess is that it opens up a websockets connection, requests a login token, then the server notifies the client once that token has an access token associated to it from the facebook auth callback. Anyone is welcome to poke around inside the Spotify client to work out what's going on, I will eventually get around to it, but it's low on the priorities list as i don't use facebook.
kerem commented 2026-02-27 19:29:12 +03:00
Author
Owner
Copy link

@sashahilton00 commented on GitHub (Nov 9, 2018):

Also, this login flow seems to be exclusive to the desktop app. Mobile app uses a different flow.

<!-- gh-comment-id:437397603 --> @sashahilton00 commented on GitHub (Nov 9, 2018): Also, this login flow seems to be exclusive to the desktop app. Mobile app uses a different flow.
kerem commented 2026-02-27 19:29:12 +03:00
Author
Owner
Copy link

@sashahilton00 commented on GitHub (Nov 9, 2018):

Ok, so here's how the auth flow works:

  1. Spotify client makesa a GET request to: https://login2.spotify.com/v1/config that returns the following:
{
	"login_url": "https://login2.spotify.com/login-facebook-sso/login?token=Ci0IARIpCIK_ocnvLBIgVelyXIR_MA...ik_wCYbJBq9",
	"signup_url": "https://login2.spotify.com/login-facebook-sso/signup?token=Ci0IARIpCIK_ocnvLBIgVelyXIR_MA...ik_wCYbJBq9",
	"cancel_url": "https://login2.spotify.com/v1/cancel?token=Ci0IARIpCIK_ocnvLBIgVelyXIR_MA...ik_wCYbJBq9",
	"credentials_url": "https://login2.spotify.com/v1/credentials?token=Ci0IARIpCIK_ocnvLBIgVelyXIR_MA...ik_wCYbJBq9"
}
  1. A browser window is then opened to the login_url, which redirects to the Facebook login page.
  2. The Spotify client begins HTTP polling the credentials_url, which returns 202 Accepted responses whilst awaiting authentication. Once authenticated, the credentials_url returns a 200 OK response, with the following payload:
{
	"credentials": {
		"username": "sashahilton00",
		"auth_type": 1,
		"encoded_auth_blob": "QVFCcFl...RtaHc="
	},
	"error": null
}

where the encoded_auth_blob is the base64 encoded auth blob.

This behaviour shouldn't be particularly hard to implement in librespot. There are no API keys/special headers involved with the endpoint at the time of writing, so librespot could fairly easily adopt a --fb-login flag that retrieved the auth URL, printed it to console, then polled it until the auth was complete. I'd suggest a 5 minute cutoff for polling so as not to leave one instance of librespot endlessly polling if someone starts it and then doesn't authenticate, rather just panic if no auth received by then.

I may get around to implementing this, but as mentioned previously, I don't use it, so it could be a while.

<!-- gh-comment-id:437406231 --> @sashahilton00 commented on GitHub (Nov 9, 2018): Ok, so here's how the auth flow works: 1. Spotify client makesa a GET request to: `https://login2.spotify.com/v1/config` that returns the following: ``` { "login_url": "https://login2.spotify.com/login-facebook-sso/login?token=Ci0IARIpCIK_ocnvLBIgVelyXIR_MA...ik_wCYbJBq9", "signup_url": "https://login2.spotify.com/login-facebook-sso/signup?token=Ci0IARIpCIK_ocnvLBIgVelyXIR_MA...ik_wCYbJBq9", "cancel_url": "https://login2.spotify.com/v1/cancel?token=Ci0IARIpCIK_ocnvLBIgVelyXIR_MA...ik_wCYbJBq9", "credentials_url": "https://login2.spotify.com/v1/credentials?token=Ci0IARIpCIK_ocnvLBIgVelyXIR_MA...ik_wCYbJBq9" } ``` 2. A browser window is then opened to the `login_url`, which redirects to the Facebook login page. 3. The Spotify client begins HTTP polling the `credentials_url`, which returns `202 Accepted` responses whilst awaiting authentication. Once authenticated, the `credentials_url` returns a `200 OK` response, with the following payload: ``` { "credentials": { "username": "sashahilton00", "auth_type": 1, "encoded_auth_blob": "QVFCcFl...RtaHc=" }, "error": null } ``` where the `encoded_auth_blob` is the base64 encoded auth blob. This behaviour shouldn't be particularly hard to implement in librespot. There are no API keys/special headers involved with the endpoint at the time of writing, so librespot could fairly easily adopt a `--fb-login` flag that retrieved the auth URL, printed it to console, then polled it until the auth was complete. I'd suggest a 5 minute cutoff for polling so as not to leave one instance of librespot endlessly polling if someone starts it and then doesn't authenticate, rather just panic if no auth received by then. I may get around to implementing this, but as mentioned previously, I don't use it, so it could be a while.
kerem commented 2026-02-27 19:29:12 +03:00
Author
Owner
Copy link

@devgianlu commented on GitHub (Nov 11, 2018):

Works nicely (librespot-org/librespot-java#16)! I'll leave up to you when to close this issue.

<!-- gh-comment-id:437653913 --> @devgianlu commented on GitHub (Nov 11, 2018): Works nicely (librespot-org/librespot-java#16)! I'll leave up to you when to close this issue.
kerem commented 2026-02-27 19:29:12 +03:00
Author
Owner
Copy link

@sashahilton00 commented on GitHub (Nov 11, 2018):

Cheers, we'll leave this open for now. Currently Facebook auth isn't actually implemented in librespot, but it comes of the category of useful to have, hence will leave it here until it gets implemented at some point.

<!-- gh-comment-id:437700856 --> @sashahilton00 commented on GitHub (Nov 11, 2018): Cheers, we'll leave this open for now. Currently Facebook auth isn't actually implemented in librespot, but it comes of the category of useful to have, hence will leave it here until it gets implemented at some point.
kerem commented 2026-02-27 19:29:12 +03:00
Author
Owner
Copy link

@medwards commented on GitHub (Feb 5, 2021):

Heads up: Sasha's analysis in https://github.com/librespot-org/librespot/issues/244#issuecomment-437406231 is no longer accurate, all of these URLs are now redirects to a deprecation notice page. (see https://github.com/hrkfdn/ncspot/issues/310 )

<!-- gh-comment-id:774009725 --> @medwards commented on GitHub (Feb 5, 2021): Heads up: Sasha's analysis in https://github.com/librespot-org/librespot/issues/244#issuecomment-437406231 is no longer accurate, all of these URLs are now redirects to a deprecation notice page. (see https://github.com/hrkfdn/ncspot/issues/310 )
kerem commented 2026-02-27 19:29:12 +03:00
Author
Owner
Copy link

@sashahilton00 commented on GitHub (Feb 23, 2021):

If I get some time I'll take a look at the new process. I wish they'd stop fixing stuff that wasn't broken...

<!-- gh-comment-id:783766620 --> @sashahilton00 commented on GitHub (Feb 23, 2021): If I get some time I'll take a look at the new process. I wish they'd stop fixing stuff that wasn't broken...
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
dev
v0.8.0
v0.7.1
v0.7.0
v0.6.0
v0.5.0
v0.4.2
v0.4.1
v0.4.0
v0.3.1
v0.3.0
v0.2.0
v0.1.6
v0.1.5
v0.1.3
v0.1.2
v0.1.1
v0.1.0
Labels
Clear labels   
A-Alsa

   
SpotifyAPI

   
Tokio 1.0

   
audio

   
bug

   
can't reproduce

   
compilation

   
dependencies

   
duplicate

   
enhancement

   
good first issue

   
help wanted

   
high priority

   
imported

   
imported

   
invalid

   
new api

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
reverse engineering

   
wiki

   
wontfix
No labels
A-Alsa
SpotifyAPI
Tokio 1.0
audio
bug
can't reproduce
compilation
dependencies
duplicate
enhancement
good first issue
help wanted
high priority
imported
imported
invalid
new api
pull-request
question
reverse engineering
wiki
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/librespot#168
No description provided.