Open nkovshov opened 3 years ago
It seems like PKCE works fine when passing null
for clientSecret
when using the 'Authorization Code Flow':
final credentials = SpotifyApiCredentials(clientId, null);
spotify = SpotifyApi.fromAuthCodeGrant(grant, responseUri);
But it doesn't work when later using the 'Saved Credentials Flow':
spotify = SpotifyApi(spotifyCredentials);
It seems like PKCE works only with the SpotifyApi.fromAuthCodeGrant(grant, responseUri)
constructor and not with the SpotifyApi(spotifyCredentials)
default constructor.
Is there any way to use PKCE with the 'Saved Credentials Flow'?
Okay I managed to find a sloppy workaround:
I manually created an oauth2 client based on the saved credentials ('creds' here):
import 'package:oauth2/src/client.dart';
import 'package:oauth2/src/credentials.dart';
Credentials credentials = Credentials(creds.accessToken!,
refreshToken: creds.refreshToken,
idToken: creds.clientId,
tokenEndpoint: creds.tokenEndpoint,
scopes: creds.scopes,
expiration: creds.expiration);
Client client = Client(credentials,
identifier: clientId,
secret: null,
basicAuth: true,
httpClient: http.Client(),
onCredentialsRefreshed: _onCredentialsRefreshed);
And then create a SpotifyApi instance with the .fromClient
constructor.
spotify = SpotifyApi.fromClient(client);
However there are multiple things wrong with this, one of which being that a direct import from another package is required.
For now this works, but I'd like to see a better solution.
Will this be added?
Thanks for this! Getting the token and creating the client works fine using the hack from @Ruud14. But how do you manually refresh the token now that it's going outside the spotify-dart library?
@rinukkusu should we add a "help wanted" label for this issue?
It's not documented, but passing
null
forclientSecret
:forces
oauth2
lib to generate challenge and follow PKCE auth flow (https://developer.spotify.com/documentation/general/guides/authorization-guide/#authorization-code-flow-with-proof-key-for-code-exchange-pkce) and it worked out of the box for me.It may be worth to document it.