starred/librespot
1
0
Fork 0
mirror of https://github.com/librespot-org/librespot.git synced 2026-04-27 08:15:50 +03:00
Code Issues 95 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #1465] Breaking Changes in OAuth and redirect URI's #660

New issue
Closed
opened 2026-02-27 19:31:48 +03:00 by kerem · 9 comments
kerem commented 2026-02-27 19:31:48 +03:00
Owner
Copy link

Originally created by @unmanagedtn on GitHub (Feb 13, 2025).
Original GitHub issue: https://github.com/librespot-org/librespot/issues/1465

Hi,

Got this in an email today...

In line with industry best practices, we are removing implicit grant
from our OAuth offering, as well as prohibiting insecure redirect URIs for
all clients.

These features could pose a security risk to Spotify users and partners and
we are therefore enforcing the new rules before the end of the year.

Existing applications need to migrate to an acceptable state before November 2025.

For all newly created apps, we will start automatically enforcing these rules from the beginning of April.

We have identified you as the owner of one or more apps that are using features that we are going to deprecate.
Failure to take action will cause your application to stop working as expected.

For more details on necessary steps to take to ensure your application operates in line with these new rules, please read our blog post.
https://wl.spotify.com/ls/click?upn=u001.No8TgQ5gmZjAOIpJLzd41D3Mz6DH7FZ905vBJfekre-2FqqaHuHe7a-2B8d3ZFfZBJXGhV6HsSr9w7mqTUgzBDbbJRXfgHoOUWcKhkvOLpfPyg24qpd6-2F2uWG6P3qt-2BrVZg4uPJV72F8GCQ19pmrM0xPCOPCV8JCp0cWDCx8lAUAjzw-3DLyG1_uFcsKQw5tjHrVEfeDdbD-2Fq4aGweHroJutZfKK7kO-2FmRxSGoq2MABtOEaNjmTUzvo5GyihADVfJ6jXQwWUXu-2BD3-2BtMs5NVEMJiH1jD6OQzvRai9e2aP1vrIUxX0ppm7EbZznRRzLhYTrEf49IE4ug-2BkSY1iFY4o4M3MUl3E5xRqztG2knv-2B-2BrHBzazdgXcAdmP6wdG-2BTPy4R8gu8LorYKjeUDRQmQzKLni-2F1JLoy68ezxokYBA4W-2B8orHpKIYdo2-2FfgWVcc6V0fA6wZXnF2fVzfygA4Oyf8blsQc5wZ-2FtzopVtlX0PemiYhW2644LEvccZ79EkY68fzDu68bt8MiWPhAubxVoyVjP7UOgZTDUJlLcWah-2FCAdTYYg7jOJ0XMDCfpwBp2-2BV9VRkU77n-2FqOO-2BJiHkUde8oz4G0SJ-2BrW0gzSbPt3swCQ-2FoAB5kIzyPZXb32WflIo03ktnnH7gVagXhEbpPqlr9XbR8SHI6-2F7rzIvriS9zx37nSiQNSxkvW-2FhipiFPl8s4dJpDysG-2F1jIUBa-2FgapbdfZuXCredXzQnRvhdF6dnkf44-2FjguyA-2Btwxp7

Regards,

The Auth team at Spotify

Originally created by @unmanagedtn on GitHub (Feb 13, 2025). Original GitHub issue: https://github.com/librespot-org/librespot/issues/1465 Hi, Got this in an email today... In line with industry best practices, we are removing implicit grant from our OAuth offering, as well as prohibiting insecure redirect URIs for all clients. These features could pose a security risk to Spotify users and partners and we are therefore enforcing the new rules before the end of the year. Existing applications need to migrate to an acceptable state before November 2025. For all newly created apps, we will start automatically enforcing these rules from the beginning of April. We have identified you as the owner of one or more apps that are using features that we are going to deprecate. Failure to take action will cause your application to stop working as expected. For more details on necessary steps to take to ensure your application operates in line with these new rules, please read our blog post. [https://wl.spotify.com/ls/click?upn=u001.No8TgQ5gmZjAOIpJLzd41D3Mz6DH7FZ905vBJfekre-2FqqaHuHe7a-2B8d3ZFfZBJXGhV6HsSr9w7mqTUgzBDbbJRXfgHoOUWcKhkvOLpfPyg24qpd6-2F2uWG6P3qt-2BrVZg4uPJV72F8GCQ19pmrM0xPCOPCV8JCp0cWDCx8lAUAjzw-3DLyG1_uFcsKQw5tjHrVEfeDdbD-2Fq4aGweHroJutZfKK7kO-2FmRxSGoq2MABtOEaNjmTUzvo5GyihADVfJ6jXQwWUXu-2BD3-2BtMs5NVEMJiH1jD6OQzvRai9e2aP1vrIUxX0ppm7EbZznRRzLhYTrEf49IE4ug-2BkSY1iFY4o4M3MUl3E5xRqztG2knv-2B-2BrHBzazdgXcAdmP6wdG-2BTPy4R8gu8LorYKjeUDRQmQzKLni-2F1JLoy68ezxokYBA4W-2B8orHpKIYdo2-2FfgWVcc6V0fA6wZXnF2fVzfygA4Oyf8blsQc5wZ-2FtzopVtlX0PemiYhW2644LEvccZ79EkY68fzDu68bt8MiWPhAubxVoyVjP7UOgZTDUJlLcWah-2FCAdTYYg7jOJ0XMDCfpwBp2-2BV9VRkU77n-2FqOO-2BJiHkUde8oz4G0SJ-2BrW0gzSbPt3swCQ-2FoAB5kIzyPZXb32WflIo03ktnnH7gVagXhEbpPqlr9XbR8SHI6-2F7rzIvriS9zx37nSiQNSxkvW-2FhipiFPl8s4dJpDysG-2F1jIUBa-2FgapbdfZuXCredXzQnRvhdF6dnkf44-2FjguyA-2Btwxp7](url) Regards, The Auth team at Spotify
kerem 2026-02-27 19:31:48 +03:00
  • closed this issue
  • added the
    bug
         label
kerem commented 2026-02-27 19:31:49 +03:00
Author
Owner
Copy link

@kingosticks commented on GitHub (Feb 13, 2025):

Thanks but does this impact us? We don't use/support implicit grant and localhost redirect Uri will continue to work.

<!-- gh-comment-id:2655210332 --> @kingosticks commented on GitHub (Feb 13, 2025): Thanks but does this impact us? We don't use/support implicit grant and localhost redirect Uri will continue to work.
kerem commented 2026-02-27 19:31:49 +03:00
Author
Owner
Copy link

@unmanagedtn commented on GitHub (Feb 13, 2025):

Great to hear this ...

<!-- gh-comment-id:2655212637 --> @unmanagedtn commented on GitHub (Feb 13, 2025): Great to hear this ...
kerem commented 2026-02-27 19:31:49 +03:00
Author
Owner
Copy link

@kingosticks commented on GitHub (Feb 13, 2025):

OK so let's close.

<!-- gh-comment-id:2656078195 --> @kingosticks commented on GitHub (Feb 13, 2025): OK so let's close.
kerem commented 2026-02-27 19:31:49 +03:00
Author
Owner
Copy link

@photovoltex commented on GitHub (Feb 13, 2025):

For completeness sake the blog post: https://developer.spotify.com/blog/2025-02-12-increasing-the-security-requirements-for-integrating-with-spotify

<!-- gh-comment-id:2657457032 --> @photovoltex commented on GitHub (Feb 13, 2025): For completeness sake the blog post: https://developer.spotify.com/blog/2025-02-12-increasing-the-security-requirements-for-integrating-with-spotify
kerem commented 2026-02-27 19:31:49 +03:00
Author
Owner
Copy link

@kingosticks commented on GitHub (Mar 14, 2025):

Actually, can we re-open this. I was wrong and we do need to make a change (my emphasis)

Any redirect URI using HTTP will stop being supported, except loopback IP address literals such as http://127.0.0.1 for IPv4 and http://[::1] for IPv6.

http://localhost:3000 could be migrated to http://127.0.0.1:3000

So we need to change github.com/librespot-org/librespot@11c3df8eb1/oauth/src/lib.rs (L177)

<!-- gh-comment-id:2725847310 --> @kingosticks commented on GitHub (Mar 14, 2025): Actually, can we re-open this. I was wrong and we do need to make a change (my emphasis) > Any redirect URI using HTTP will stop being supported, except loopback **IP address literals** such as http://127.0.0.1 for IPv4 and http://[::1] for IPv6. > http://localhost:3000 could be migrated to http://127.0.0.1:3000 So we need to change https://github.com/librespot-org/librespot/blob/11c3df8eb1ab2c6a8f31a02cb8833caf825f415b/oauth/src/lib.rs#L177
kerem commented 2026-02-27 19:31:49 +03:00
Author
Owner
Copy link

@kingosticks commented on GitHub (Mar 14, 2025):

Oh! Wait, no! That code is actually a bug and "localhost" shouldn't be hard-coded anywhere, given we now support a user-configurable redirect URI.

So we are indeed immune to this Spotify change. But we have a bug!

<!-- gh-comment-id:2725857710 --> @kingosticks commented on GitHub (Mar 14, 2025): Oh! Wait, no! That code is actually a bug and "localhost" shouldn't be hard-coded anywhere, given we now support a user-configurable redirect URI. So we are indeed immune to this Spotify change. But we have a bug!
kerem commented 2026-02-27 19:31:49 +03:00
Author
Owner
Copy link

@photovoltex commented on GitHub (Mar 15, 2025):

@kingosticks Could you create a PR so we can quickly fix this minor bug?

<!-- gh-comment-id:2726924481 --> @photovoltex commented on GitHub (Mar 15, 2025): @kingosticks Could you create a PR so we can quickly fix this minor bug?
kerem commented 2026-02-27 19:31:49 +03:00
Author
Owner
Copy link

@kingosticks commented on GitHub (Mar 16, 2025):

I reread the code, I was being stupid, it's fine as is. Any valid hostname is fine to use there, we (I?) chose localhost. it's only added so that we can use the standard uri parsing functions to extract stuff from the query string. No bug and nothing to do! Reclose this please, sorry!

<!-- gh-comment-id:2727630425 --> @kingosticks commented on GitHub (Mar 16, 2025): I reread the code, I was being stupid, it's fine as is. Any valid hostname is fine to use there, we (I?) chose localhost. it's only added so that we can use the standard uri parsing functions to extract stuff from the query string. No bug and nothing to do! Reclose this please, sorry!
kerem commented 2026-02-27 19:31:49 +03:00
Author
Owner
Copy link

@photovoltex commented on GitHub (Mar 17, 2025):

oki, happens to the best :)

<!-- gh-comment-id:2729738783 --> @photovoltex commented on GitHub (Mar 17, 2025): oki, happens to the best :)
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
dev
v0.8.0
v0.7.1
v0.7.0
v0.6.0
v0.5.0
v0.4.2
v0.4.1
v0.4.0
v0.3.1
v0.3.0
v0.2.0
v0.1.6
v0.1.5
v0.1.3
v0.1.2
v0.1.1
v0.1.0
Labels
Clear labels   
A-Alsa

   
SpotifyAPI

   
Tokio 1.0

   
audio

   
bug

   
can't reproduce

   
compilation

   
dependencies

   
duplicate

   
enhancement

   
good first issue

   
help wanted

   
high priority

   
imported

   
imported

   
invalid

   
new api

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
reverse engineering

   
wiki

   
wontfix
No labels
A-Alsa
SpotifyAPI
Tokio 1.0
audio
bug
can't reproduce
compilation
dependencies
duplicate
enhancement
good first issue
help wanted
high priority
imported
imported
invalid
new api
pull-request
question
reverse engineering
wiki
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/librespot#660
No description provided.