Authentication - Take434/Appollon GitHub Wiki

Appollon is dependent on a users Spotify account, all data used by the app is supplied by Spotify. This necessitates a login into the users Spotify account through the app. In order to achieve this, Spotify implements the OAuth 2.0 authorization framework [2][1], which specifies how third party applications should obtain limited access to an HTTP service on the behalf of the resource owner [1].

OAuth 2.0

The detailed specifications of the OAuth 2.0 authorization framework can be found in the request for comment [1], the following aims to give a general overview of the login process.

As discussed in 1.2 Protocol Flow of the RFC, the following steps are necessary to access a resource (Spotify data) on a users behalf:

  • The client (Appollon in this case) has to acquire permission to access the resource (Spotify Data) from the user through an authorization grant
  • The client then requests an access token from the authorization server (Spotify) using the grant
  • It can then access the protected resource (Spotify Data) on the resource server (Spotify) while supplying the access token


Abstract Protocol Flow from here (license)

Spotify's Implementation

Spotify allows for four different OAuth flows, depending on the use case [2]. Since Appollon is a long-running application and the user should grant permission only once, the authorization code flow [3] is recommended by Spotify [2]. The other OAuth flows are not important for the scenario of Appollon [2] and will not be discussed further.

The important benefit of the authorization code flow is that users only have to give permission once, after that the application can keep accessing the necessary data without the user having to interfere [3]. The following graphic from the Spotify Docs illustrates how this works.
![](images/spotify-auth-code-flow.png) not visible because the license has to be checked
authorization code flow from [3]

  • Appollon request authorization data from Spotify, providing the scopes that should be accessed
  • Spotify prompts the user to login and grant permission
  • Appollon gets a code back from the user, which is used to request an access and refresh token from Spotify
  • The access token is used by Appollon to make requests
  • If the access token has expired the refresh token can be used to request a new one from Spotify

The detailed implementation in Appollon is discussed in the Spotify Authentication Issue. It includes more technical detail and discusses which parameters have to be included in the requests to Spotify.

Users in Appollon

After a user has logged in through the OAuth authorization flow described above, Appollon requests information about the user, such as their Spotify user id, email and profile picture. This information is then used to either create a new user in the database or find the user in Appollon's database in order to update their tokens.

The access token is set as a cookie for the user, providing an easy way to identify which user is making requests to the server. If Spotify responds with the HTTP Status Code 401 this indicates, that the access token has expired [4]. In that case the refresh token is retrieved from the database and used to request a new access token which is then updated in the cookies and database.

References

[1] D. Hardt, Ed. 2012 The OAuth 2.0 Authorization Framework accessed 28.07.2023
[2] Spotify Docs Authorization accessed 28.07.2023
[3] Spotify Docs Authorization Code Flow accessed 28.07.2023
[4] Spotify Web API Reference Get Current User's Profile accessed 28.07.2023

⚠️ **GitHub.com Fallback** ⚠️