quadule
commented
3 years ago I have this implemented in https://github.com/quadule/knobby/tree/pkce but am not sure if I want to merge it. Spotify's PKCE implementation revokes the old refresh_token whenever fetching an access_token which complicates things slightly: If a network or device glitch ever prevents the updated refresh_token from being saved, the user would have to re-authenticate in a browser. This is also annoying when testing the software because it prevents sharing of tokens between devices.
This should eliminate the need to compile in the
client_secretand make it possible to release a firmware binary.https://developer.spotify.com/documentation/general/guides/authorization-guide/#authorization-code-flow-with-proof-key-for-code-exchange-pkce