[GH-ISSUE #754] `get_token` fails using credentials obtained through FB auth flow

kerem commented

2026-02-27 19:30:27 +03:00

Owner

Originally created by @medwards on GitHub (May 24, 2021).
Original GitHub issue: https://github.com/librespot-org/librespot/issues/754

I have credentials through a modified version of https://github.com/hrkfdn/ncspot/pull/537 that uses a newly created client id and client secret (CLIENT_ID from here on out). These credentials authenticate:

[2021-05-24][14:45:53] [librespot_core::session] [INFO] Authenticated as "##########" !
[2021-05-24][14:45:53] [librespot_playback::audio_backend::pulseaudio] [INFO] Using PulseAudio sink with format: S16
[2021-05-24][14:45:53] [librespot_core::session] [INFO] Country: "DE"

However librespot is unable to get a token using these credentials:

[2021-05-24][14:45:53] [librespot_core::mercury] [WARN] error 403 for uri hm://keymaster/token/authenticated?client_id=CLIENT_ID&scope=user-read-private,playlist-read-private,playlist-read-collaborative,playlist-modify-public,playlist-modify-private,user-follow-modify,user-follow-read,user-library-read,user-library-modify,user-top-read,user-read-recently-played

I have a hacked up version of examples/get_token.rs that works off of these credentials instead of whats passed on the command line (see github.com/medwards/librespot@fed29f4cec).

This works for the streaming scope:

~/forks/librespot$ cargo run --package librespot --example get_token -- /home/medwards/.cache/ncspot/librespot CLIENT_ID streaming
    Finished dev [unoptimized + debuginfo] target(s) in 0.06s
     Running `target/debug/examples/get_token /home/medwards/.cache/ncspot/librespot CLIENT_ID streaming`
Connecting..
Token: Token {
    access_token: "AN_ACCESS_TOKEN",
    expires_in: 3600,
    token_type: "Bearer",
    scope: [
        "streaming",
    ],
}

For any other scope or combination of scopes I get MecuryError.

~/forks/librespot$ cargo run --package librespot --example get_token -- /home/medwards/.cache/ncspot/librespot CLIENT_ID playlist-modify
    Finished dev [unoptimized + debuginfo] target(s) in 0.06s
     Running `target/debug/examples/get_token /home/medwards/.cache/ncspot/librespot CLIENT_ID playlist-modify`
Connecting..
 Got error: MercuryError
~/forks/librespot$ cargo run --package librespot --example get_token -- /home/medwards/.cache/ncspot/librespot CLIENT_ID playlist-read
    Finished dev [unoptimized + debuginfo] target(s) in 0.06s
     Running `target/debug/examples/get_token /home/medwards/.cache/ncspot/librespot CLIENT_ID playlist-read`
Connecting..
 Got error: MercuryError

I originally requested the following scopes when going through the oauth2 flow so I expect these to work (and mysteriously streaming does):

                  "app-remote-control",
                  "playlist-modify",
                  "playlist-modify-private",
                  "playlist-modify-public",
                  "playlist-read",
                  "playlist-read-collaborative",
                  "playlist-read-private",
                  "streaming",
                  "user-follow-modify",
                  "user-follow-read",
                  "user-library-modify",
                  "user-library-read",
                  "user-modify",
                  "user-read-private",
                  "user-read-recently-played",
                  "user-top-read",

Originally created by @medwards on GitHub (May 24, 2021). Original GitHub issue: https://github.com/librespot-org/librespot/issues/754 I have credentials through a modified version of https://github.com/hrkfdn/ncspot/pull/537 that uses a newly created client id and client secret (`CLIENT_ID` from here on out). These credentials authenticate: ``` [2021-05-24][14:45:53] [librespot_core::session] [INFO] Authenticated as "##########" ! [2021-05-24][14:45:53] [librespot_playback::audio_backend::pulseaudio] [INFO] Using PulseAudio sink with format: S16 [2021-05-24][14:45:53] [librespot_core::session] [INFO] Country: "DE" ``` However librespot is unable to get a token using these credentials: ``` [2021-05-24][14:45:53] [librespot_core::mercury] [WARN] error 403 for uri hm://keymaster/token/authenticated?client_id=CLIENT_ID&scope=user-read-private,playlist-read-private,playlist-read-collaborative,playlist-modify-public,playlist-modify-private,user-follow-modify,user-follow-read,user-library-read,user-library-modify,user-top-read,user-read-recently-played ``` I have a hacked up version of `examples/get_token.rs` that works off of these credentials instead of whats passed on the command line (see https://github.com/medwards/librespot/commit/fed29f4ceca9d4fedf49f251b1b7d9a0cdc74ed2). This works for the `streaming` scope: ``` ~/forks/librespot$ cargo run --package librespot --example get_token -- /home/medwards/.cache/ncspot/librespot CLIENT_ID streaming Finished dev [unoptimized + debuginfo] target(s) in 0.06s Running `target/debug/examples/get_token /home/medwards/.cache/ncspot/librespot CLIENT_ID streaming` Connecting.. Token: Token { access_token: "AN_ACCESS_TOKEN", expires_in: 3600, token_type: "Bearer", scope: [ "streaming", ], } ``` For any other scope or combination of scopes I get `MecuryError`. ``` ~/forks/librespot$ cargo run --package librespot --example get_token -- /home/medwards/.cache/ncspot/librespot CLIENT_ID playlist-modify Finished dev [unoptimized + debuginfo] target(s) in 0.06s Running `target/debug/examples/get_token /home/medwards/.cache/ncspot/librespot CLIENT_ID playlist-modify` Connecting.. Got error: MercuryError ~/forks/librespot$ cargo run --package librespot --example get_token -- /home/medwards/.cache/ncspot/librespot CLIENT_ID playlist-read Finished dev [unoptimized + debuginfo] target(s) in 0.06s Running `target/debug/examples/get_token /home/medwards/.cache/ncspot/librespot CLIENT_ID playlist-read` Connecting.. Got error: MercuryError ``` I originally requested the following scopes when going through the oauth2 flow so I expect these to work (and mysteriously `streaming` does): ``` "app-remote-control", "playlist-modify", "playlist-modify-private", "playlist-modify-public", "playlist-read", "playlist-read-collaborative", "playlist-read-private", "streaming", "user-follow-modify", "user-follow-read", "user-library-modify", "user-library-read", "user-modify", "user-read-private", "user-read-recently-played", "user-top-read", ```

kerem added the

reverse engineering

label

2026-02-27 19:30:27 +03:00

kerem commented

2026-02-27 19:30:27 +03:00

Author

Owner

@medwards commented on GitHub (May 24, 2021):

I made https://github.com/medwards/ncspot/tree/env-client-secrets if you want to reproduce your own credentials. However while setting it up I realized I was using the normal Spotify client id with my own client secret. If I use my client id and client secret for SPOTIFY_APP_CLIENT_ID then I can still authenticate however I can't get a token for any token in this case (incl. streaming). If I use the spotify desktop app client id as SPOTIFY_APP_CLIENT_ID and my client secret then you get the behaviour I described in the main body of the issue.

This might be expected behaviour, in which case feel free to close.

@medwards commented on GitHub (May 24, 2021): I made https://github.com/medwards/ncspot/tree/env-client-secrets if you want to reproduce your own credentials. However while setting it up I realized I was using the normal Spotify client id with my own client secret. If I use my client id and client secret for `SPOTIFY_APP_CLIENT_ID` then I can still authenticate however I can't get a token for *any* token in this case (incl. `streaming`). If I use the spotify desktop app client id as `SPOTIFY_APP_CLIENT_ID` and my client secret then you get the behaviour I described in the main body of the issue. This might be expected behaviour, in which case feel free to close.

kerem commented

2026-02-27 19:30:27 +03:00

Author

Owner

@sashahilton00 commented on GitHub (May 25, 2021):

It's possible that the keymaster endpoint simply doesn't support OAuth2 clients and their tokens. Given that this service is essentially an interop service that allows mercury clients to consume the HTTP endpoints protected by OAuth, the devs at Spotify may have not seen the point of supporting oauth sessions in the oauth token generating keymaster.

With regards to the streaming scope working and no others, I believe the streaming scope is required to interact with mercury endpoints. I may be wrong on this though.

As for your client ID not working for streaming whilst Spotify's ID does work somewhat, it's possible that they do some form of whitelisting on their end.

It may be worth examining this behaviour further, but given the simplicity of the keymaster endpoint and what it does, combined with your observations around the behaviour with different client IDs, I'd place my bet on this being expected behaviour from Spotify servers rather than a bug, though the line is often blurred :)

@sashahilton00 commented on GitHub (May 25, 2021): It's possible that the keymaster endpoint simply doesn't support OAuth2 clients and their tokens. Given that this service is essentially an interop service that allows mercury clients to consume the HTTP endpoints protected by OAuth, the devs at Spotify may have not seen the point of supporting oauth sessions in the oauth token generating keymaster. With regards to the `streaming` scope working and no others, I believe the `streaming` scope is required to interact with mercury endpoints. I may be wrong on this though. As for your client ID not working for streaming whilst Spotify's ID does work somewhat, it's possible that they do some form of whitelisting on their end. It may be worth examining this behaviour further, but given the simplicity of the keymaster endpoint and what it does, combined with your observations around the behaviour with different client IDs, I'd place my bet on this being expected behaviour from Spotify servers rather than a bug, though the line is often blurred :)

kerem commented

2026-02-27 19:30:27 +03:00

Author

Owner

@gdesmott commented on GitHub (Dec 30, 2022):

Does this mean it's not possible to use librespot with tokens generated using the Authorization Code Flow ?

@gdesmott commented on GitHub (Dec 30, 2022): Does this mean it's not possible to use `librespot` with tokens generated using the [Authorization Code Flow](https://developer.spotify.com/documentation/general/guides/authorization/code-flow/) ?

kerem referenced this issue

2026-02-27 19:30:34 +03:00

[GH-ISSUE #848] Underrun with onevent script #427

kerem referenced this issue

2026-02-27 20:00:30 +03:00

[PR #449] [MERGED] Add blocking SinkActive|SinkInactive events #930

Rows
Columns

[GH-ISSUE #754] get_token fails using credentials obtained through FB auth flow #406

[GH-ISSUE #754] `get_token` fails using credentials obtained through FB auth flow #406