[GH-ISSUE #1086] Clarify Authentication documentation #508

New issue

Closed

opened 2026-02-27 19:31:02 +03:00 by kerem · 13 comments

kerem commented 2026-02-27 19:31:02 +03:00

Owner

Copy link

Originally created by @gdesmott on GitHub (Jan 2, 2023).
Original GitHub issue: https://github.com/librespot-org/librespot/issues/1086

The Authentication doc seems a bit outdated.

I think it would be good to list each method from Spotify Authorization's documentation and explain for each if they are supported (or planned to be).

rspotify does exactly that which I found very helpful.

Originally created by @gdesmott on GitHub (Jan 2, 2023). Original GitHub issue: https://github.com/librespot-org/librespot/issues/1086 The [Authentication doc](https://github.com/librespot-org/librespot/blob/dev/docs/authentication.md) seems a bit outdated. I think it would be good to list each method from [Spotify Authorization's documentation](https://developer.spotify.com/documentation/general/guides/authorization/) and explain for each if they are supported (or planned to be). `rspotify` does [exactly that](https://docs.rs/rspotify/0.11.6/rspotify/#authorization) which I found very helpful.

kerem 2026-02-27 19:31:02 +03:00

• closed this issue
• added the
  enhancement
  label

kerem commented 2026-02-27 19:31:03 +03:00

Author

Owner

Copy link

@roderickvd commented on GitHub (Jan 2, 2023):

The Authentication doc seems a bit outdated.

Yes, I am afraid this is true for most of the documentation.

I think it would be good to list each method from Spotify Authorization's documentation and explain for each if they are supported (or planned to be).

Unless someone is working on getting OAuth flows working (I think there was an effort by librespot-java), the current authentication scheme is the only one without any others planned by me I'm afraid.

Feel free to update any docs you find!

<!-- gh-comment-id:1369042971 --> @roderickvd commented on GitHub (Jan 2, 2023): > The [Authentication doc](https://github.com/librespot-org/librespot/blob/dev/docs/authentication.md) seems a bit outdated. Yes, I am afraid this is true for most of the documentation. > I think it would be good to list each method from [Spotify Authorization's documentation](https://developer.spotify.com/documentation/general/guides/authorization/) and explain for each if they are supported (or planned to be). Unless someone is working on getting OAuth flows working (I think there was an effort by `librespot-java`), the current authentication scheme is the only one without any others planned by me I'm afraid. Feel free to update any docs you find!

kerem commented 2026-02-27 19:31:03 +03:00

Author

Owner

Copy link

@gdesmott commented on GitHub (Jan 2, 2023):

So you confirm that none of the 4 officials OAuth flows are currently supported?

I may be interested implementing the Authorization code flow as that will allow me to share the token between librespot and rspotify. Do you foresee any issue? This should work with the API implemented by librespot right?

That or I re-implement the catalog search using librespot as discussed here. I'm not sure yet which way is best.

<!-- gh-comment-id:1369274156 --> @gdesmott commented on GitHub (Jan 2, 2023): So you confirm that none of [the 4 officials OAuth flows](https://developer.spotify.com/documentation/general/guides/authorization/) are currently supported? I **may** be interested implementing the _Authorization code_ flow as that will allow me to share the token between `librespot` and `rspotify`. Do you foresee any issue? This should work with the API implemented by `librespot` right? That or I re-implement the catalog search using `librespot` as [discussed here](https://github.com/librespot-org/librespot/discussions/792). I'm not sure yet which way is best.

kerem commented 2026-02-27 19:31:03 +03:00

Author

Owner

Copy link

@roderickvd commented on GitHub (Jan 4, 2023):

I cannot say with certainty as I have never tried myself.
But it is what I gather also from the unfinished effort over at https://github.com/librespot-org/librespot-java/pull/446.

I have some doubts whether tokens gotten through OAuth will be valid to authenticate on Mercury. They might be. But they (web vs. Mercury) may also well be different contexts. I remember someone theorising that one certain OAuth scope might also work on Mercury. I can't remember where I read that... probably also at the Java port or maybe on Gitter.

<!-- gh-comment-id:1371337169 --> @roderickvd commented on GitHub (Jan 4, 2023): I cannot say with certainty as I have never tried myself. But it is what I gather also from the unfinished effort over at https://github.com/librespot-org/librespot-java/pull/446. I have some doubts whether tokens gotten through OAuth will be valid to authenticate on Mercury. They might be. But they (web vs. Mercury) may also well be different contexts. I remember someone theorising that one certain OAuth scope might also work on Mercury. I can't remember where I read that... probably also at the Java port or maybe on Gitter.

kerem commented 2026-02-27 19:31:03 +03:00

Author

Owner

Copy link

@GiviMAD commented on GitHub (Jan 13, 2023):

Hi, I've been looking recently into registering the client into my account using an access token, I would like to share what I discovered in case it's interesting to someone, this project has helped me a lot https://github.com/TimotheeGerber/spotify-connect. It seems to be posible to authenticate a speaker using an api token as long as it has the "streaming" scope. I have tried to modify the tool to force it to use the same token I'm using with the web SDK (an access token obtained through oauth) and when using the tool auth method default-token everything seems to work.

# in my test I have modified the change_to_token_credentials method to use my token and confirm that I can register the speaker using an api token. 
./spotify-connect -a default-token $DISCOVERY_IP $DISCOVERY_PORT

Auth method access-token exposed by the library doesn't seem to work with librespot.

Tested agains librespot v0.4.2.

Regards!

<!-- gh-comment-id:1381686879 --> @GiviMAD commented on GitHub (Jan 13, 2023): Hi, I've been looking recently into registering the client into my account using an access token, I would like to share what I discovered in case it's interesting to someone, this project has helped me a lot https://github.com/TimotheeGerber/spotify-connect. It seems to be posible to authenticate a speaker using an api token as long as it has the "streaming" scope. I have tried to modify the tool to force it to use the same token I'm using with the web SDK (an access token obtained through oauth) and when using the tool auth method default-token everything seems to work. ``` # in my test I have modified the change_to_token_credentials method to use my token and confirm that I can register the speaker using an api token. ./spotify-connect -a default-token $DISCOVERY_IP $DISCOVERY_PORT ``` Auth method access-token exposed by the library doesn't seem to work with librespot. Tested agains librespot v0.4.2. Regards!

kerem commented 2026-02-27 19:31:03 +03:00

Author

Owner

Copy link

@kingosticks commented on GitHub (Jan 13, 2023):

Maybe I misunderstand what you are saying. Is it that you have one token, which includes the "streaming" scope (and presumably a load others also) and that one token can be used with the Web API and librespot? Assuming that's the right understanding, where did you get that token from?

<!-- gh-comment-id:1381724159 --> @kingosticks commented on GitHub (Jan 13, 2023): Maybe I misunderstand what you are saying. Is it that you have one token, which includes the "streaming" scope (and presumably a load others also) and that one token can be used with the Web API and librespot? Assuming that's the right understanding, where did you get that token from?

kerem commented 2026-02-27 19:31:03 +03:00

Author

Owner

Copy link

@GiviMAD commented on GitHub (Jan 13, 2023):

The same token I use when my web application relays on the Web Playback SDK, I only use librespot for the electron version.
A token obtained using this flow https://developer.spotify.com/documentation/general/guides/authorization/code-flow/ with an application client id linked to my account.

Yes I have another scopes on the token, but I think based on the tool code that only the "streaming" one is required. I think it's enough for Librespot to authenticate to the Spotify account and swap to a reusable credentials.
But I have little knowledge about Librespot and the protocols it uses, just wanted to shared want I found in case someone wants to look more on it.

<!-- gh-comment-id:1381739583 --> @GiviMAD commented on GitHub (Jan 13, 2023): The same token I use when my web application relays on the Web Playback SDK, I only use librespot for the electron version. A token obtained using this flow https://developer.spotify.com/documentation/general/guides/authorization/code-flow/ with an application client id linked to my account. Yes I have another scopes on the token, but I think based on the tool code that only the "streaming" one is required. I think it's enough for Librespot to authenticate to the Spotify account and swap to a reusable credentials. But I have little knowledge about Librespot and the protocols it uses, just wanted to shared want I found in case someone wants to look more on it.

kerem commented 2026-02-27 19:31:03 +03:00

Author

Owner

Copy link

@GiviMAD commented on GitHub (Jan 13, 2023):

As a personal opinion, I think that having the https://github.com/TimotheeGerber/spotify-connect functionalities exposed in someway by librespot itself could be awesome, this way you can use same binary to authenticate the speaker through command line, and even, exposing a manual authentication page should be easy to build. I'm telling all this without knowing if authenticating with the access token have some side effect, but for me doesn't seem to be the case.
Regards!

<!-- gh-comment-id:1381749350 --> @GiviMAD commented on GitHub (Jan 13, 2023): As a personal opinion, I think that having the https://github.com/TimotheeGerber/spotify-connect functionalities exposed in someway by librespot itself could be awesome, this way you can use same binary to authenticate the speaker through command line, and even, exposing a manual authentication page should be easy to build. I'm telling all this without knowing if authenticating with the access token have some side effect, but for me doesn't seem to be the case. Regards!

kerem commented 2026-02-27 19:31:03 +03:00

Author

Owner

Copy link

@kingosticks commented on GitHub (Jan 13, 2023):

Ahh, excellent! I didn't realise you could legitimately get the streaming scope as I have never used the Web Playback SDK. And your modification was to change the client ID to your own?

I wonder if you do need some extra scopes for some parts of librespot to work.

<!-- gh-comment-id:1381774860 --> @kingosticks commented on GitHub (Jan 13, 2023): Ahh, excellent! I didn't realise you could legitimately get the [streaming](https://developer.spotify.com/documentation/general/guides/authorization/scopes/#streaming) scope as I have never used the Web Playback SDK. And your modification was to change the client ID to your own? I wonder if you do need some extra scopes for some parts of librespot to work.

kerem commented 2026-02-27 19:31:03 +03:00

Author

Owner

Copy link

@GiviMAD commented on GitHub (Jan 13, 2023):

Ahh, excellent! I didn't realise you could legitimately get the streaming scope as I have never used the Web Playback SDK. And your modification was to change the client ID to your own?

I changed the whole line that call get_token by a literal string containing a token generated by my app backend.

I tested it with and without this modification and both times it worked. And without the modification the token is just generated with the streaming scope.

I wonder if you do need some extra scopes for some parts of librespot to work.

I think that not, because I think that the token that you are providing is not used by librespot anymore after the authentication, it generate it's own credentials and from those it is able to generate new tokens (using other client ids, so I think the client id you generated the token with is also not used at all).

<!-- gh-comment-id:1381819718 --> @GiviMAD commented on GitHub (Jan 13, 2023): > Ahh, excellent! I didn't realise you could legitimately get the [streaming](https://developer.spotify.com/documentation/general/guides/authorization/scopes/#streaming) scope as I have never used the Web Playback SDK. And your modification was to change the client ID to your own? I changed the whole line that call get_token by a literal string containing a token generated by my app backend. I tested it with and without this modification and both times it worked. And without the modification the token is just generated with the streaming scope. > I wonder if you do need some extra scopes for some parts of librespot to work. I think that not, because I think that the token that you are providing is not used by librespot anymore after the authentication, it generate it's own credentials and from those it is able to generate new tokens (using other client ids, so I think the client id you generated the token with is also not used at all).

kerem commented 2026-02-27 19:31:03 +03:00

Author

Owner

Copy link

@kingosticks commented on GitHub (Jan 13, 2023):

OK, with you now. Sorry, it's been a while.

Yes and you're right, librespot does it's own fresh login afrer decrypting the blob sent by that spotify-connect tool. It does seem like there are some useful alt login methods that could be documented. i.e. from username and Web API "streaming" token. That could be a useful method to have if you want to share the same token.

It looks like supporting "accesstoken" login in librespot might just be a case of fixing handle_add_user to check the "tokenType" response param and skipping all the decryption and just return Credentials::with_access_token(username,blob) in that case.

<!-- gh-comment-id:1381871262 --> @kingosticks commented on GitHub (Jan 13, 2023): OK, with you now. Sorry, it's been a while. Yes and you're right, librespot does it's own fresh login afrer decrypting the blob sent by that spotify-connect tool. It does seem like there are some useful alt login methods that could be documented. i.e. from username and Web API "streaming" token. That could be a useful method to have if you want to share the same token. It looks like supporting "accesstoken" login in librespot might just be a case of fixing [handle_add_user](https://github.com/librespot-org/librespot/blob/dev/discovery/src/server.rs#L111) to check the "tokenType" response param and skipping all the decryption and just return `Credentials::with_access_token(username,blob)` in that case.

kerem commented 2026-02-27 19:31:03 +03:00

Author

Owner

Copy link

@gdesmott commented on GitHub (Jan 15, 2023):

@GiviMAD : thanks a lot! I manually created a Credentials with AuthenticationType::AUTHENTICATION_SPOTIFY_TOKEN and was able to play medias using my GStreamer element!

I faced an issue when trying to request lyrics from librespost though. librespot::metadata::Lyrics::get get a MercuryResponse with status_code: 403.
Maybe another scope is required but I didn't find any looking at the doc as they all seem related to user specific infos.

<!-- gh-comment-id:1383157264 --> @gdesmott commented on GitHub (Jan 15, 2023): @GiviMAD : thanks a lot! I manually created a `Credentials` with `AuthenticationType::AUTHENTICATION_SPOTIFY_TOKEN` and was able to play medias using my GStreamer element! I faced an issue when trying to request lyrics from `librespost` though. `librespot::metadata::Lyrics::get` get a `MercuryResponse` with `status_code: 403`. Maybe another scope is required but I didn't find any looking [at the doc](https://developer.spotify.com/documentation/general/guides/authorization/scopes/) as they all seem related to user specific infos.

kerem commented 2026-02-27 19:31:03 +03:00

Author

Owner

Copy link

@hansmbakker commented on GitHub (Sep 9, 2023):

There is a request for allowing the Device Authorization Grant flow on the Spotify forum - it is very useful for embedded usecases like a remote control.

<!-- gh-comment-id:1712513777 --> @hansmbakker commented on GitHub (Sep 9, 2023): There is a [request for allowing the Device Authorization Grant flow](https://community.spotify.com/t5/Spotify-for-Developers/Device-Authorization-Grant-authentication-flow-for-custom/m-p/5485468) on the Spotify forum - it is very useful for embedded usecases like a remote control.

kerem commented 2026-02-27 19:31:03 +03:00

Author

Owner

Copy link

@roderickvd commented on GitHub (Oct 26, 2024):

Oauth is implemented and documented now.

<!-- gh-comment-id:2439615661 --> @roderickvd commented on GitHub (Oct 26, 2024): Oauth is implemented and documented now.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

dev

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.0

v0.4.2

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.0

v0.1.6

v0.1.5

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels   

A-Alsa

  

SpotifyAPI

  

Tokio 1.0

  

audio

  

bug

  

can't reproduce

  

compilation

  

dependencies

  

duplicate

  

enhancement

  

good first issue

  

help wanted

  

high priority

  

imported

  

imported

  

invalid

  

new api

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

reverse engineering

  

wiki

  

wontfix

No labels

A-Alsa

SpotifyAPI

Tokio 1.0

audio

bug

can't reproduce

compilation

dependencies

duplicate

enhancement

good first issue

help wanted

high priority

imported

imported

invalid

new api

pull-request

question

reverse engineering

wiki

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/librespot#508

No description provided.