Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support PKCE oauth flow #6

Closed
anatosun opened this issue Aug 21, 2022 · 10 comments
Closed

Support PKCE oauth flow #6

anatosun opened this issue Aug 21, 2022 · 10 comments
Assignees
@jbh-cloud
Labels
enhancement New feature or request

Comments

@anatosun
Copy link

It would be handy to have a dedicated spotify client and secret rather than having each user make one.
@jbh-cloud
Copy link
Collaborator

@fwicht to confirm, you are wanting spotify_sync to have a global client that you authorize permission to read your Spotify account with?

Unless I'm missing something, that would mean there is a client id and secret, publicly available in the repo that has access to every user that has authorized it. That would be a massive data breach for other users.

@anatosun
Copy link
Author

That's what I meant indeed and of course in the current state, providing the id and secret would imply a security breach. For this very purpose, Spotify recommends using a different authorisation flow in their documentation:

In scenarios where storing the client secret is not safe (e.g. desktop, mobile apps or JavaScript web apps running in the browser), you can use the authorization code with PKCE, as it provides protection against attacks where the authorization code may be intercepted.

Yet, I don't know how feasible it is in this very instance.

@jbh-cloud
Copy link
Collaborator

Interesting, I wasn't aware of PKCE. I will have a look to see how it may work in this context.

@jbh-cloud jbh-cloud self-assigned this Aug 23, 2022
@jbh-cloud jbh-cloud added the enhancement New feature or request label Aug 23, 2022
@jbh-cloud jbh-cloud changed the title Ship software with own spotify client and secret Support PKCE oauth flow Aug 23, 2022
@jbh-cloud
Copy link
Collaborator

@fwicht in-order to setup PKCE i need to create a new oauth application that people will authorize against. By default the app status is created as 'Development Mode' which will only allow up-to 25 people to authorize against it.

You can apply for a quota extension, but I don't think this will likely be accepted. Requirements below:

image

@anatosun
Copy link
Author

anatosun commented Sep 3, 2022

You think that due to the first point (significant user-base) the application will not be accepted?

@jbh-cloud
Copy link
Collaborator

Yes, partly because of user base and also I dont' think they're going to want to onboard an application that is claiming to download spotify songs, even if it ultimately doesn't come from Spotify

@anatosun
Copy link
Author

Yes, I agree with you on this. Yet, I wonder how the devs of Lidarr have managed to have the quota extension. (They do have the user base though)

@jbh-cloud
Copy link
Collaborator

I think Lidarr (as with all the *arr suite) can argue its a media management product,

I'm going to close this down, if it becomes easier in the future I will reopen

@jbh-cloud jbh-cloud closed this as not planned Won't fix, can't repro, duplicate, stale Sep 22, 2022
@jbh-cloud jbh-cloud reopened this Nov 30, 2022
@jbh-cloud
Copy link
Collaborator

@fwicht this is now supported in 1.1.0, see FAQ in docs

@Shabinder
Copy link

@jbh-cloud gr8,
may I ask if you are comfortable with sharing your extension request, and how much time it took, any insights would be gr8.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jbh-cloud jbh-cloud

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@anatosun @Shabinder @jbh-cloud