What is OAuth and how does it work?
The OAuth flow
There are five main steps in the OAuth flow: Step 0: Client obtains client ID and client secret Step 1: Client requests authorization to access data from Spotify Step 2: Spotify authorizes access to client Step 3: User grants app access to their Spotify data Step 4: Client receives access token from Spotify Step 5: Client uses access token to request data from Spotify
OAuth Roles
There are four main roles that need to "shake hands" to get a unique access token to access resources from a service: 1. Resource Server: The API which stores data the application wants to access (Spotify API) 2. Resource Owner: Owns the data in the resource server (the user who wants to log into our app with Spotify is the owner of their Spotify account) 3. Client: The application that wants to access your data (our app) 4. Authorization Server: The server that receives requests from the client for access tokens and issues them upon successful authentication and consent by the resource owner (Spotify Accounts Service)
Step 3: User grants app access to their Spotify data
After step 2, the user is redirected to a page on the Spotify authorization server where they can grant the app access to their Spotify account. In our case, the user will have been sent to a page that belongs to the Spotify accounts service (note the accounts.spotify.com URL in the screenshot below), where they can log in to Spotify.
Step 0: Client obtains client ID and client secret
Before any client or server requests are even made, there are two things the client (our app) needs in order to kick off the OAuth flow: the client ID and the client secret. These are two strings that are used to identify and authenticate your specific app when requesting an access token.
Step 5: Client uses access token to request data from Spotify
Finally, the client can use the access token to access resources from the resource server (the Spotify API).
Step 1: Client requests authorization to access data from Spotify
First, the client (our app) sends an authorization request containing the client ID and secret to the authorization server (the Spotify Accounts Service). This request also includes any scopes the client needs and a redirect URI which the authorization server should send the access token to.
What is OAuth and why do we need it?
OAuth (Open Authorization) is a secure protocol that allows you to approve one application interacting with another on your behalf without giving away your password. Instead of passing user credentials from app to app, OAuth lets you pass authorization between apps over HTTPS with access tokens (kind of like a special code). For example, you can tell Facebook that it's okay for Spotify to access your profile or post updates to your timeline without having to give Spotify your Facebook password. This way it's less risky for both you and Facebook — in the event Spotify suffers a breach, your Facebook password remains safe.
Authorization, not authentication
OAuth is about authorization, not authentication. Authorization is asking for permission to do things. Authentication is about proving you are the correct person by providing credentials like a password.
Step 4: Client receives access token from Spotify
Once the user grants access by logging into Spotify, the authorization server redirects the user back to the client (our app) with an access token. Sometimes, a refresh token is also returned with the access token.
Tokens
Our app needs an access token to successfully access resources on the Spotify API. With every API request we make, we'll include our token in the HTTP request headers. If we don't, the Spotify API will reject our requests for any data. You can think of access tokens like the two-factor authentication codes that some services send you via text message for you to log in. Just like two-factor auth codes, OAuth tokens have a limited time in which they are valid. After a while, all tokens expire, and you'll need to request another one (or refresh it). In the end, this is all for security — in case someone gets hold of your unique access token, they can only access your private data for a limited amount of time before they're locked out.
Scopes
Scopes are used to specify exactly which resources should be available to the client that is asking for authorization. They provide users of third-party apps with the confidence that only the information they choose to share will be shared. The resource server (in our case, the Spotify API) is in charge of defining these scope values, and which resources they relate to.
Step 2: Spotify authorizes access to client
Second, the authorization server (Spotify) authenticates the client (our app) using the client ID and secret, then verifies that the requested scopes are permitted.