TIDAL deprecates username/password login for oAuth

[ribizli]

Hi,

we tried to get an official API token from TIDAL, it seems to be possible anyway. But they don't support username/password login anymore, one need to use oAuth alternatives (they provide three).

I see, that implementing the oAuth flow in MPD is not possible, but maybe there should be a way to pass a valid access token to MPD.

E.g. I can imagine a file with the token on a path configured for the plugin. The plugin reads the file, (optionally) checks for validity (needs base64 decoding and JSON parsing) and uses the token instead of session_id.

Alternatively also supporting refresh token process?

Please share your thoughts.

[ribizli]

@MaxKellermann any opinion on this?

[MaxKellermann]

I don't know oAuth. Why is oAuth not possible in MPD?

[ribizli]

because oAuth requires the user to get forwarded to a Tidal login page.

On Tue, 4 Jun 2019, 17:45 Max Kellermann, notifications@github.com wrote:

I don't know oAuth. Why is oAuth not possible in MPD?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/MusicPlayerDaemon/MPD/issues/545?email_source=notifications&email_token=AAHYWWO6X5JSG4ZOB3JS343PY2E2HA5CNFSM4HLJRE62YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODW476OA#issuecomment-498728760, or mute the thread https://github.com/notifications/unsubscribe-auth/AAHYWWIBMYPM63WVG4HC2SDPY2E2HANCNFSM4HLJRE6Q .

[MaxKellermann]

Hm, that sucks. Are there other Tidal players which don't have a built-in web browser?

[marcbth]

Hallo Max,

show upmpdcli

there is a upmpdcli-tidal plugin. it works https://opensourceprojects.eu/p/upmpdcli/code/ci/5fbea55f973ed222cd3e635440500025626fd074/tree/

[marcbth]

another from Artur

https://github.com/ArturSierzant/OMPD

[ribizli]

They (Tidal) stated that in the future only the OAuth token based API calls will work. The solutions posted by @marcbth are still using username/password login. The old API tokens issued earlier are still working.

[MaxKellermann]

there is a upmpdcli-tidal plugin. it works

Apart from being illegal (because it links a proprietary library from Spotify), upmpdcli uses the old username/password protocol, just like MPD.

[marcbth]

my issues #572

so my problems come from that?

ompd of arthur uses an old script. registration works and tidal is searchable. I have inserted the x-token-tidal and the registration schent yes to work.

or has changed in tidal now what or mpd?

sorry for my stupid questions

cliff

[ribizli]

they don't issue tokens anymore. just oAuth secrets, so you cannot call the login API either.

On Tue, 4 Jun 2019, 18:43 marcbth, notifications@github.com wrote:

my issues #572 https://github.com/MusicPlayerDaemon/MPD/issues/572

so my problems come from that?

ompd of arthur uses an old script. registration works and tidal is searchable. I have inserted the x-token-tidal and the registration schent yes to work.

or has changed in tidal now what or mpd?

sorry for my stupid questions

cliff

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/MusicPlayerDaemon/MPD/issues/545?email_source=notifications&email_token=AAHYWWNI466IBBNTESVEMYDPY2LSXA5CNFSM4HLJRE62YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODW5FM3A#issuecomment-498751084, or mute the thread https://github.com/notifications/unsubscribe-auth/AAHYWWM7Y6NC7HHJIJGT56LPY2LSXANCNFSM4HLJRE6Q .

[marcbth]

then I do not understand that I still can log in upmpdcli or ompd me and play tidal.

is there an alternative to use tidal natively in mpd then again?

I want to get away from the whole upnp

cliff

[MaxKellermann]

And I can still play Tidal natively with MPD. So, what's really wrong? What is this issue report really about? Is there a real problem, or is there only an announcement by Tidal of future deprecation?

[ribizli]

you have a legacy token which works

On Tue, 4 Jun 2019, 18:51 marcbth, notifications@github.com wrote:

then I do not understand that I still can log in upmpdcli or ompd me and play tidal.

is there an alternative to use tidal natively in mpd then again?

I want to get away from the whole upnp

cliff

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/MusicPlayerDaemon/MPD/issues/545?email_source=notifications&email_token=AAHYWWN2JC5XFVNTOUMDR6TPY2MQTA5CNFSM4HLJRE62YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODW5GDLY#issuecomment-498753967, or mute the thread https://github.com/notifications/unsubscribe-auth/AAHYWWLLDYXAEEBWHBKHLNLPY2MQTANCNFSM4HLJRE6Q .

[marcbth]

yes i have. i have a tidal account.

can i write a private email to you in german?

[marcbth]

you have a legacy token which works … On Tue, 4 Jun 2019, 18:51 marcbth, @.***> wrote: then I do not understand that I still can log in upmpdcli or ompd me and play tidal. is there an alternative to use tidal natively in mpd then again? I want to get away from the whole upnp cliff — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#545?email_source=notifications&email_token=AAHYWWN2JC5XFVNTOUMDR6TPY2MQTA5CNFSM4HLJRE62YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODW5GDLY#issuecomment-498753967>, or mute the thread https://github.com/notifications/unsubscribe-auth/AAHYWWLLDYXAEEBWHBKHLNLPY2MQTANCNFSM4HLJRE6Q .

or a call?

[ribizli]

so, you can steal a token (as MPD docu suggests), but this is illegal. So we contacted Tidal for a token, and they rejected, login/session API is deprecated, we could use oAuth only. I cannot describe it better, sorry.

[marcbth]

do not want to do anything illegal. it would be a shame if tidal were not possible anymore.

if you have tidal as a contact person?

I also like to try it. because I actually have good relationships in the German hifi high end scene or manufacturers.

it is tidal also helped, concerning the further spread.

I can contribute the api or documentation for highresaudio streaming including, of course, an access.

[ranperry]

Try Pål Bråtelund / pal.bratelund@tidalhifi.com

On Tue, Jun 4, 2019 at 1:26 PM marcbth notifications@github.com wrote:

do not want to do anything illegal. it would be a shame if tidal were not possible anymore.

if you have tidal as a contact person?

I also like to try it. because I actually have good relationships in the German hifi high end scene or manufacturers.

it is tidal also helped, concerning the further spread.

I can contribute the api or documentation for highresaudio streaming including, of course, an access.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/MusicPlayerDaemon/MPD/issues/545?email_source=notifications&email_token=AAH3E4QWZZYXSQE7HHXBXRDPY2QUBA5CNFSM4HLJRE62YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODW5JEMA#issuecomment-498766384, or mute the thread https://github.com/notifications/unsubscribe-auth/AAH3E4ROBJZT7MOMBLV6COTPY2QUBANCNFSM4HLJRE6Q .

[marcbth]

Thank you. I will contact him

[ribizli]

let us know what you found out from him

On Tue, 4 Jun 2019, 19:38 marcbth, notifications@github.com wrote:

Thank you. I will contact him

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/MusicPlayerDaemon/MPD/issues/545?email_source=notifications&email_token=AAHYWWNNKR6WG7QQMXFWUYDPY2R7TA5CNFSM4HLJRE62YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODW5KFDA#issuecomment-498770572, or mute the thread https://github.com/notifications/unsubscribe-auth/AAHYWWNZQQCJF7WXFZG4OWTPY2R7TANCNFSM4HLJRE6Q .

[jonaski]

I contacted Tidal to ask for access to the API for use in Strawberry, but simply got: "Unfortunately we do not share our API." I'm using one of the android tokens and logins recently stopped working, fixed it by switching to https://api.tidalhifi.com/v1/login/username (I was using listen.tidal.com previously).

[ribizli]

@jonaski you need to get a developer account, then you get access to all needed documentation (including API, and OAuth stuff). We have already got such an account so definitely there is an official way to use their API.

My original message/issue still valid: username/password login (aka session based access) is not allowed for new users. You need an access JWT token to access the Tidal backend. This JWT token also replaces the API token used before (this also means, you need a Tidal user account to browse metadata, too).

[jonaski]

@ribizli How do I get a developer account?

[ribizli]

@jonaski https://developer.tidal.com/ "Access to this portal is by invitation only, and requires an agreement between the parties."

Some quotations from emails I've got from Tidal:

• "We only support oauth methods"
• "DRM support is not mandatory at the moment, but in the future, clients that have DRM will get a better streaming performance." ("our content delivery supplier prioritises DRM streams over non-DRM streams")
• "We are deprecating authentication with username and password" (for OAuth)
• "We have a stage and production environment, we kindly request our partners to first do the implementation in stage, certify it with our QA"
• "Please note that streaming is very limited on stage environment, so you will have to use the production credentials to do everything else after user authentication on production"
• "In this environment (me: stage) you can build out and test the implementation. We would like to verify on our side before moving on to our production environment"
• "Regarding the certification process in stage and Prod - It will be great if you send us a device so that our team here can certify the implementation" (we produce a HW player)
• "We usually have the stage environment for testing all functionalities except streaming. Streaming is not supported in the environment."
• "As we don't have your device yet you can share your test results to us by sending us a video of the tests or testing it live over a video call."
• "Giving you production credentials doesn’t mean going into production, it’s just that you test against our production environment. We will need to certify your implementation in production environment as well"

On the developer portal there is a long list (in Excel) of points the test during QA. They mostly compare the results with their GUI. We have different GUI (limited, different navigation and views), so I'm already afraid about the QA.

[MaxKellermann]

Postponed until Tidal shares documentation. If that doesn't ever seem to happen, the plugin will be removed.

[ribizli]

@MaxKellermann they won't share until you ask for it actively.

In the meanwhile I've implemented the process in our project, and I see, MPD couldn't/shouldn't handle the process on its own.

I see however a possible solution:

• at the end of the OAuth process an access and a renew JWT token is issued for the authenticated user. (getting to these tokens is out of scope of MPD)
• the access token has to be used as a Authorization: Bearer <token> header instead of the X-Tidal-Token, X-Tidal-SessionId tuple. The same API endpoints can be used, but different headers.
• since the access token has a 1 day validity only, MPD should make a renewal using the renew JWT token
• to get a new valid access JWT token (renewal) a POST request has to make with the following form parameters:
  • refresh_token
  • client_id: this is issued by Tidal instead of X-Tidal-Token
  • client_secret: this is issued by Tidal instead of X-Tidal-Token
• as a solution I'd propose an alternative MPD Tidal plugin configuration with the above 3 parameters instead of the token, username and password. MPD decides depending on which 3 parameters are configured.
  • instead of a SessionId (and the username/password login) MPD need to maintain (get initially, refresh if expired) an access JWT token

I think this is a small change in the current implementation (As far I managed to read it). Unfortunately I'm not a C++ developer, so I cannot provide with a PR to move this topic further.

Let me share a copy of the related documentation since I have access to Tidal's developer site. renew API (PDF)

[jonaski]

It uses standardized OAuth protocol. I've already implemented it in Strawberry, but using the client_id from Windows the streams are encrypted. I don't think Tidal would approve an open source project where the client id can be seen in the source code. And without the client id no-one can use it. I don't know much about MPD, but the client (frontend) needs to authorize using a web browser, then the login page at Tidal will redirect to: tidal://login/auth with an code in the query which is used to request the access token needed to use the API. So the client could probably send the code to MPD through the MPD network protocol where MPD requests the final access token. Strawberry gets registered as the url schema handler for tidal which let's the web browser pass the code through the strawberry command line options, it uses singleapplication to message the active process with the code needed to obtain the access token. You can look at how I've done it, I send the request here: https://github.com/jonaski/strawberry/blob/master/src/tidal/tidalservice.cpp#L238 Then I receive the URL with the code here: https://github.com/jonaski/strawberry/blob/master/src/core/mainwindow.cpp#L1918 Then it emits a signal to the tidal service with the URL which obtains the access token here: https://github.com/jonaski/strawberry/blob/master/src/tidal/tidalservice.cpp#L272

[therumbler]

FWIW I was just able to log in to Tidal via a POST to https://api.tidalhifi.com/v1/login/username. I used this token: "GvFhCVAYp3n43EN3", which I believe is from the iOS app.

[ghost]

That Token just worked for me.

[Fef0]

FWIW I was just able to log in to Tidal via a POST to https://api.tidalhifi.com/v1/login/username. I used this token: "GvFhCVAYp3n43EN3", which I believe is from the iOS app.

It worked, thank you very much

[JuniorJPDJ]

https://github.com/FUFRUnidentifiedFLACRipper/python-tidal-async-oauth2 I implemented client_id extraction from .apk file for android. There's no encryption of files sent to android app :3 Feel free to steal it from me - the code will be AGPL later.

[hmelder]

How about an oauth device flow? Or just use the FireTv api key. It is drm free and has the legacy login enabled. I have completely reverse engineered the TIDALAPI: https://github.com/openTIDAL/docTIDAL/wiki/auth-token https://github.com/openTIDAL/docTIDAL/wiki/auth-device_authorization https://github.com/openTIDAL/docTIDAL/wiki/API-Keys

[ribizli]

I can imagine an external tool to play the device flow through and get a refresh token. The refresh token has a very long validity, so one needs to get it once, and configure into the plugin. The plugin only needs to get a fresh access token if the previous expired (I already proposed this solution above).

Of course the plugin could implement the whole flow, but MPD isn't meant to be used interactively, so where to get the auth code (the four characters to enter on the tidal website) from...

Finally my solution was to create a proxy (http server) which cares about the auth, and provides a source for the curl plugin. (like: http://localhost:8080/tidal/)

[hmelder]

I nearly finished my TIDAL C Library with an integrated access_token refresh thread and nearly 100% API coverage. During the setup the user receives a 5 digit code. He authorizes the client via link.tidal.com. The access_token lasts 7 Days. But you can refresh it at every time with the refresh_token. At some point I will publish all 10 DRM-Free client_ids and client_secrets that I gathered from de-compiling Apps. https://github.com/openTIDAL/docTIDAL/wiki/Authentication

[JuniorJPDJ]

@DerNuntius it would probably be better to public method of gathering them, not making them directly public ;)

[hmelder]

Yep, that's why I've removed them. A chinese ripping tool used them and I don't support that.

On Thu, Nov 19, 2020 at 7:12 AM JuniorJPDJ notifications@github.com wrote:

@DerNuntius https://github.com/DerNuntius it would probably be better to public method of gathering them, not making them directly public ;)

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/MusicPlayerDaemon/MPD/issues/545#issuecomment-730153200, or unsubscribe https://github.com/notifications/unsubscribe-auth/AK35JFDEUOAIC572IJ6ADM3SQSZLFANCNFSM4HLJRE6Q .

[jcorporation]

Closing, Tidal plugin was removes since ver 0.22.10