[PR #428] [MERGED] Automatic refresh of Authorization Code Flow Tokens in long-running Applications #891

New issue

Closed

opened 2026-02-28 00:02:26 +03:00 by kerem · 0 comments

kerem commented

2026-02-28 00:02:26 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/spotipy-dev/spotipy/pull/428
Author: @MaZderMind
Created: 1/21/2020
Status: ✅ Merged
Merged: 1/22/2020
Merged by: @stephanebruckert

Base: master ← Head: auto-refresh-token

📝 Commits (5)

d0593ed auto-refresh user token
3d85699 example for a long-running user-request app
d53b8cc wrap long lines
5c8867e combine duplicate code into _refresh_token_if_expired method
e7a94da add changelog entry

📊 Changes

5 files changed (+68 additions, -16 deletions)

View changed files

📝 CHANGELOG.md (+2 -0)
➕ examples/long_running.py (+42 -0)
📝 spotipy/client.py (+4 -2)
📝 spotipy/oauth2.py (+17 -9)
📝 spotipy/util.py (+3 -5)

📄 Description

This PR implements automatic refreshing of Authorization Code Flow Tokens.
Currently an access_token requested via the Authorization Code Flow have a lifetime of 3600 seconds (1 hour) after which a new access_token needs to be requested using the 'refresh_token`.

The Logic in util.prompt_for_user_token looks for a matching set of tokens in the cache_path and if none is found, it requests both an access_token and a refresh_token from Spotify and stores them in the cache_path. If one is found, the access_token is checked for validity and if it is expired, a new one is requested and updated in the cache_path.

This process works fine for short running applications, because the Token is automatically refreshed, whenever util.prompt_for_user_token is invoked. For long running applications (with a runtime greater then the remaining lifetime of the access_token upon startup) this poses a problem, because the access_token is never refreshed, once util.prompt_for_user_token has returned.

To refresh the token later, the initialized instance of oauth2.SpotifyOAuth is required. This instance is created in util.prompt_for_user_token but destroyed when the method returns.

This PR changes the return-value of util.prompt_for_user_token to return the initialized oauth2.SpotifyOAuth instead of the access_token. This instance is accepted as the auth-argument to the spotipy.Spotify constructor, so code that was just passing the token-string don't have to be changed.

Furthermore oauth2.SpotifyOAuth is changed to also cache the access_token in-memory, so that accessing it via the oauth2-instance does not have to hit the filesystem.

The method Spotify._auth_headers is responsible for adding the Auth-Token to the HTTP Request-Headers. It is changed to actively request a valid access_token from the oauth2 instance. The oauth2.SpotifyOAuth class is changed to check the validity of the Token before returning and, if required, requesting a new Token.

An Example of a long-running process which before exposed the problem is added. It does not run for multiple hours, refreshing the Token when it has expired before issuing any other request.

This probably fixes #263 and fixes #87
It probably also closes #428 by obsoleting it

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/spotipy-dev/spotipy/pull/428 **Author:** [@MaZderMind](https://github.com/MaZderMind) **Created:** 1/21/2020 **Status:** ✅ Merged **Merged:** 1/22/2020 **Merged by:** [@stephanebruckert](https://github.com/stephanebruckert) **Base:** `master` ← **Head:** `auto-refresh-token` --- ### 📝 Commits (5) - [`d0593ed`](https://github.com/spotipy-dev/spotipy/commit/d0593ed190acce4a63c86d3ca53f5dfa51b3f8db) auto-refresh user token - [`3d85699`](https://github.com/spotipy-dev/spotipy/commit/3d85699897b235f3b712dc03343e12bd563611d8) example for a long-running user-request app - [`d53b8cc`](https://github.com/spotipy-dev/spotipy/commit/d53b8cc57b8c6dd38b82c9d3d0e1184550207de8) wrap long lines - [`5c8867e`](https://github.com/spotipy-dev/spotipy/commit/5c8867e85a4d499c046756819ee64be2503f21d9) combine duplicate code into _refresh_token_if_expired method - [`e7a94da`](https://github.com/spotipy-dev/spotipy/commit/e7a94da05544a4b6dd085a5451b868bb7d974714) add changelog entry ### 📊 Changes **5 files changed** (+68 additions, -16 deletions) <details> <summary>View changed files</summary> 📝 `CHANGELOG.md` (+2 -0) ➕ `examples/long_running.py` (+42 -0) 📝 `spotipy/client.py` (+4 -2) 📝 `spotipy/oauth2.py` (+17 -9) 📝 `spotipy/util.py` (+3 -5) </details> ### 📄 Description This PR implements automatic refreshing of Authorization Code Flow Tokens. Currently an `access_token` requested via the Authorization Code Flow have a lifetime of 3600 seconds (1 hour) after which a new `access_token` needs to be requested using the 'refresh_token`. The Logic in `util.prompt_for_user_token` looks for a matching set of tokens in the `cache_path` and if none is found, it requests both an `access_token` and a `refresh_token` from Spotify and stores them in the `cache_path`. If one is found, the `access_token` is checked for validity and if it is expired, a new one is requested and updated in the `cache_path`. This process works fine for short running applications, because the Token is automatically refreshed, whenever `util.prompt_for_user_token` is invoked. For long running applications (with a runtime greater then the remaining lifetime of the `access_token` upon startup) this poses a problem, because the `access_token` is never refreshed, once `util.prompt_for_user_token` has returned. To refresh the token later, the initialized instance of `oauth2.SpotifyOAuth` is required. This instance is created in `util.prompt_for_user_token` but destroyed when the method returns. This PR changes the return-value of `util.prompt_for_user_token` to return the initialized `oauth2.SpotifyOAuth` instead of the `access_token`. This instance is accepted as the `auth`-argument to the `spotipy.Spotify` constructor, so code that was just passing the token-string don't have to be changed. Furthermore `oauth2.SpotifyOAuth` is changed to also cache the `access_token` in-memory, so that accessing it via the oauth2-instance does not have to hit the filesystem. The method `Spotify._auth_headers` is responsible for adding the Auth-Token to the HTTP Request-Headers. It is changed to actively request a valid `access_token` from the oauth2 instance. The `oauth2.SpotifyOAuth` class is changed to check the validity of the Token before returning and, if required, requesting a new Token. An Example of a long-running process which before exposed the problem is added. It does not run for multiple hours, refreshing the Token when it has expired before issuing any other request. This probably fixes #263 and fixes #87 It probably also closes #428 by obsoleting it --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>