starred/spotipy

Fork 0

mirror of https://github.com/spotipy-dev/spotipy.git synced 2026-04-26 16:15:51 +03:00

[GH-ISSUE #711] How to manually delete refresh token after it has been revoked by Spotify by a password change. #426

New issue

Open

opened 2026-02-27 23:22:33 +03:00 by kerem · 8 comments

kerem commented

2026-02-27 23:22:33 +03:00

Owner

Originally created by @kwakubiney on GitHub (Jul 25, 2021).
Original GitHub issue: https://github.com/spotipy-dev/spotipy/issues/711

So I changed my Spotify password and then, tried using the Spotify API but I kept getting hit with error: invalid_grant, error_description: Refresh token revoked . I tried looking through the codebase to find an implementation which deletes this refresh token and replaces it with a new one after a new authorization code is gotten from spotify on a subsequent API request. I couldn't find a way around this although I have not really thought it through, I assumed there'll be an implementation for this in Spotipy.

The code responsible for handling authorization code for access token and refresh token

 def login(request):
    if request.GET.get("code"):
       code= request.GET.get("code")
       request.session["access_token"] = oauth.get_access_token(code)

I expected Spotipy to delete old refresh token and create new one.

http://127.0.0.1:8000/accounts/spotify/login/callback/?code=AQApWwuisQLoorWTU69_36X_61mP- 
LFpoOCp6L2f_m7T6pXcQcqIcRmU1WXP4IODuZ8ISJzkU3fjF80fZx21_Zxw6QnwJMoK45Pkqh95TgG- 
Xe_xS8KwsKB8z1jzVcNyTotKdmO4YmxfnUvJu_Pp4hrGjoK9VI-cuGqDYPtwBogYqfUPqsfyRE- 
F1xJ1Z3F1rOXn3yW3IWuLbA&state=VYgl7i4tteOl
3.1.3
SpotifyOauthError
error: invalid_grant, error_description: Refresh token revoked
 C:\Users\Kwaku Biney\Desktop\sparison-1\project\venv\lib\site-packages\spotipy\oauth2.py, line 576, in 
 refresh_access_token

-Windows

Python version 3.7.0
VSCode

Originally created by @kwakubiney on GitHub (Jul 25, 2021). Original GitHub issue: https://github.com/spotipy-dev/spotipy/issues/711 So I changed my Spotify password and then, tried using the Spotify API but I kept getting hit with `error: invalid_grant, error_description: Refresh token revoked` . I tried looking through the codebase to find an implementation which deletes this refresh token and replaces it with a new one after a new authorization code is gotten from spotify on a subsequent API request. I couldn't find a way around this although I have not really thought it through, I assumed there'll be an implementation for this in Spotipy. `The code responsible for handling authorization code for access token and refresh token` def login(request): if request.GET.get("code"): code= request.GET.get("code") request.session["access_token"] = oauth.get_access_token(code) I expected Spotipy to delete old refresh token and create new one. http://127.0.0.1:8000/accounts/spotify/login/callback/?code=AQApWwuisQLoorWTU69_36X_61mP- LFpoOCp6L2f_m7T6pXcQcqIcRmU1WXP4IODuZ8ISJzkU3fjF80fZx21_Zxw6QnwJMoK45Pkqh95TgG- Xe_xS8KwsKB8z1jzVcNyTotKdmO4YmxfnUvJu_Pp4hrGjoK9VI-cuGqDYPtwBogYqfUPqsfyRE- F1xJ1Z3F1rOXn3yW3IWuLbA&state=VYgl7i4tteOl 3.1.3 SpotifyOauthError error: invalid_grant, error_description: Refresh token revoked C:\Users\Kwaku Biney\Desktop\sparison-1\project\venv\lib\site-packages\spotipy\oauth2.py, line 576, in refresh_access_token -Windows - Python version 3.7.0 - VSCode

kerem added the

bug

label

2026-02-27 23:22:33 +03:00

kerem commented

2026-02-27 23:22:34 +03:00

Author

Owner

@Peter-Schorn commented on GitHub (Jul 25, 2021):

What is the type of oauth? Post the code where you create it.

@Peter-Schorn commented on GitHub (Jul 25, 2021): What is the type of `oauth`? Post the code where you create it.

kerem commented

2026-02-27 23:22:34 +03:00

Author

Owner

@kwakubiney commented on GitHub (Jul 25, 2021):

@Peter-Schorn

caches_folder = "./.spotify_caches/"
if not os.path.exists(caches_folder):
      os.makedirs(caches_folder)

#Create session path with UUID

 def session_cache_path(): 
      return caches_folder + str(uuid.uuid4())

  cache_path = session_cache_path()

  #Extract UUID from path
   def extract_uuid(cache_path):
       return cache_path[18:]


    cache_handler = CacheFileHandler(cache_path = cache_path)
    oauth = SpotifyOAuth(
    redirect_uri="http://127.0.0.1:8000/accounts/spotify/login/callback/",
    scope='user-library-read',
    cache_handler = cache_handler)

@kwakubiney commented on GitHub (Jul 25, 2021): @Peter-Schorn caches_folder = "./.spotify_caches/" if not os.path.exists(caches_folder): os.makedirs(caches_folder) #Create session path with UUID def session_cache_path(): return caches_folder + str(uuid.uuid4()) cache_path = session_cache_path() #Extract UUID from path def extract_uuid(cache_path): return cache_path[18:] cache_handler = CacheFileHandler(cache_path = cache_path) oauth = SpotifyOAuth( redirect_uri="http://127.0.0.1:8000/accounts/spotify/login/callback/", scope='user-library-read', cache_handler = cache_handler)

kerem commented

2026-02-27 23:22:34 +03:00

Author

Owner

@Peter-Schorn commented on GitHub (Jul 25, 2021):

Just delete the cache file at cache_path. That's where the token info is stored.

@Peter-Schorn commented on GitHub (Jul 25, 2021): Just delete the cache file at `cache_path`. That's where the token info is stored.

kerem commented

2026-02-27 23:22:34 +03:00

Author

Owner

@kwakubiney commented on GitHub (Jul 26, 2021):

@Peter-Schorn okay will try that.

@kwakubiney commented on GitHub (Jul 26, 2021): @Peter-Schorn okay will try that.

kerem commented

2026-02-27 23:22:34 +03:00

Author

Owner

@jac0b-w commented on GitHub (Jul 28, 2021):

I have had a similar issue where changing the API keys doesn't remove the existing cache and there's no easy way to detect if the API keys have changed just from the cache file. Is there an easier way to know if the cache is outdated/revoked or will I have to keep track of if the API keys have changed myself?

@jac0b-w commented on GitHub (Jul 28, 2021): I have had a similar issue where changing the API keys doesn't remove the existing cache and there's no easy way to detect if the API keys have changed just from the cache file. Is there an easier way to know if the cache is outdated/revoked or will I have to keep track of if the API keys have changed myself?

kerem commented

2026-02-27 23:22:34 +03:00

Author

Owner

@Peter-Schorn commented on GitHub (Jul 28, 2021):

By "API keys" are you referring to the client id and client secret? If so, then it is your responsibility to maintain a separate cache file for each client id and client secret. If you don't then there will be no way to tell after the fact which client id and secret each cache file corresponds to. Remember, you can manually specify a path for the cache file.

@Peter-Schorn commented on GitHub (Jul 28, 2021): By "API keys" are you referring to the client id and client secret? If so, then it is your responsibility to maintain a separate cache file for each client id and client secret. If you don't then there will be no way to tell after the fact which client id and secret each cache file corresponds to. Remember, you can manually specify a path for the cache file.

kerem commented

2026-02-27 23:22:34 +03:00

Author

Owner

@jac0b-w commented on GitHub (Jul 28, 2021):

Ah that makes sense. Any suggestions on how to name the cache file for each client id/client secret pair? My initial thought is to hash the keys to make it unique but there might be a better way.

@jac0b-w commented on GitHub (Jul 28, 2021): Ah that makes sense. Any suggestions on how to name the cache file for each client id/client secret pair? My initial thought is to hash the keys to make it unique but there might be a better way.

kerem commented

2026-02-27 23:22:34 +03:00

Author

Owner

@Peter-Schorn commented on GitHub (Jul 28, 2021):

How many different client ids and secrets do you have? You shouldn't need more than one.

@Peter-Schorn commented on GitHub (Jul 28, 2021): How many different client ids and secrets do you have? You shouldn't need more than one.