starred/spotify-react-web-client
1
0
Fork 0
mirror of https://github.com/francoborrelli/spotify-react-web-client.git synced 2026-04-27 04:15:50 +03:00
Code Issues 8 Projects Releases 1 Packages Wiki Activity

[GH-ISSUE #51] unsupported_response_type #64

New issue
Closed
opened 2026-03-15 16:13:56 +03:00 by kerem · 1 comment
kerem commented 2026-03-15 16:13:56 +03:00
Owner
Copy link

Originally created by @Nygosaki on GitHub (Dec 26, 2025).
Original GitHub issue: https://github.com/francoborrelli/spotify-react-web-client/issues/51

When attempting to access spotify-react-web-client.onrender.com, it automatically redirects me to https://spotify-react-web-client.onrender.com/#error=unsupported_response_type and displays a loading screen.
I am on macos tahoe using arc browser.
This behaviour started after I tried embedding the site using an iframe. However I am no longer able to even access the site normally.

Image
Originally created by @Nygosaki on GitHub (Dec 26, 2025). Original GitHub issue: https://github.com/francoborrelli/spotify-react-web-client/issues/51 When attempting to access [spotify-react-web-client.onrender.com](spotify-react-web-client.onrender.com/), it automatically redirects me to https://spotify-react-web-client.onrender.com/#error=unsupported_response_type and displays a loading screen. I am on macos tahoe using arc browser. This behaviour started after I tried embedding the site using an iframe. However I am no longer able to even access the site normally. <img width="1164" height="841" alt="Image" src="https://github.com/user-attachments/assets/60edee01-f6e1-456e-b78f-28fed55d1229" />
kerem closed this issue 2026-03-15 16:14:01 +03:00
kerem commented 2026-03-15 16:14:07 +03:00
Author
Owner
Copy link

@francoborrelli commented on GitHub (Dec 29, 2025):

🛠️ What’s causing the unsupported_response_type error

The reason your browser gets redirected to https://spotify-react-web-client.onrender.com/#error=unsupported_response_type and you see the loading screen is related to Spotify’s OAuth changes.

Spotify has deprecated the Implicit Grant Flow (response_type=token), which was previously used for client-side authentication in single-page/web apps. After November 27, 2025, Spotify stopped supporting this flow, so any request to /authorize with response_type=token will now fail with unsupported_response_type. Link

🚨 Why this happened

  • The Implicit Grant Flow is deprecated because it exposes access tokens directly in the URL and does not support refresh tokens. Link
  • Spotify has removed support for this flow and requires apps to use a more secure alternative. Link

What I changed

To fix this and restore the app’s authentication flow, I migrated the OAuth implementation to Authorization Code with PKCE, which is now the recommended authentication flow for web apps (especially SPAs). Link

Here’s what was done:

  1. Changed the authorization request to use response_type=code instead of token.
  2. Added the PKCE parameters (code_challenge and code_challenge_method) to the /authorize request.
  3. After redirect, the app now exchanges the authorization code for an access token using Spotify’s /api/token endpoint with PKCE.
  4. This flow also returns a refresh token, so the session stays valid longer without requiring users to log in again. Link
<!-- gh-comment-id:3697093302 --> @francoborrelli commented on GitHub (Dec 29, 2025): ### 🛠️ What’s causing the `unsupported_response_type` error The reason your browser gets redirected to `https://spotify-react-web-client.onrender.com/#error=unsupported_response_type` and you see the loading screen is related to Spotify’s OAuth changes. Spotify has **deprecated the Implicit Grant Flow** (`response_type=token`), which was previously used for client-side authentication in single-page/web apps. After November 27, 2025, Spotify **stopped supporting this flow**, so any request to `/authorize` with `response_type=token` will now fail with `unsupported_response_type`. [Link](https://developer.spotify.com/blog/2025-10-14-reminder-oauth-migration-27-nov-2025) ### 🚨 Why this happened * The **Implicit Grant Flow is deprecated** because it exposes access tokens directly in the URL and does not support refresh tokens. [Link](https://developer.spotify.com/documentation/web-api/tutorials/implicit-flow) * Spotify has removed support for this flow and requires apps to use a more secure alternative. [Link](https://developer.spotify.com/blog/2025-10-14-reminder-oauth-migration-27-nov-2025) ### ✅ What I changed To fix this and restore the app’s authentication flow, I migrated the OAuth implementation to **Authorization Code with PKCE**, which is now the recommended authentication flow for web apps (especially SPAs). [Link](https://developer.spotify.com/documentation/web-api/tutorials/migration-implicit-auth-code) Here’s what was done: 1. **Changed the authorization request** to use `response_type=code` instead of `token`. 2. Added the **PKCE parameters** (`code_challenge` and `code_challenge_method`) to the `/authorize` request. 3. After redirect, the app now **exchanges the authorization code for an access token** using Spotify’s `/api/token` endpoint with PKCE. 4. This flow also returns **a refresh token**, so the session stays valid longer without requiring users to log in again. [Link](https://developer.spotify.com/documentation/web-api/tutorials/code-pkce-flow)
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dependabot/npm_and_yarn/follow-redirects-1.16.0
dependabot/npm_and_yarn/axios-1.15.0
main-2018
develop
master
1.0.1
Labels
Clear labels   
pull-request

Mirrored from GitHub Pull Request

No labels
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/spotify-react-web-client#64
No description provided.