1

Is there any method to modify i.e. playlist by Web API by with console based application in Client Credential Flow ? https://developer.spotify.com/web-api/authorization-guide/#client-credentials-flow

Propably not, but maybe I am wrong ? I want to modify only my user's data.

Here I created issue at API specification https://github.com/spotify/web-api/issues/165

mastier
  • 774
  • 1
  • 9
  • 19

1 Answers1

3

One of the benefits with the Client Credentials oAuth 2.0 flow is that applications can make authenticated requests to a web service without a need to involve an end user. Since a user isn't involved, the requests that can be made from the application is limited. For example, using Spotify's API, you can still make requests to retrieve track metadata, playlist contents, and search for albums. Any endpoint that requires a scope can't be used since it requires user interaction.

So using Client Credentials simply doesn't make sense if you're interested in making requests on behalf of a user, or if you want to access private data since the user needs to give you permission first.

You need to use Implicit Grant or Authentication Code Flow for this. I advise that you read further about the supported oAuth 2.0 flows in the Authorization Guide. One of the benefits of using the Authorization Code flow is that you'll also retrieve a new refresh token, which you can use to retrieve access tokens indefinitely. It however requires you to write a web service that accepts an authorization code and exchanges it for the tokens. The Implicit Grant flow doesn't return a refresh token, so it's only possible to use for one hour until the access token has expired.

Michael Thelin
  • 4,332
  • 2
  • 21
  • 29
  • Thank you, I see now that is just because of the principles of the oAuth 2.0 standard. It actually makes sense. I just wonder why I cannot have read-write access to the given user data without an application in between, and why that application needs to have received the authorization data through redirect-uri callback. Is the Client Credential Flow part of the oAuth 2.0 standard ? I can't see that by first sight.So it appears I need to once get the authorization code for given user, then I can have: - permament access ? (am I?with authorization flow?) - short-time ? (with implicit grant?) – mastier Feb 03 '16 at 15:02
  • I've updated my response with a link to the Client Credentials specification, which is part of the official oAuth 2.0 standard. I've also added some information about the other two flows. If you have more questions about this, please create a new question instead of following up in the comment section. Of course, if this answer is unclear then I'll try to amend it. – Michael Thelin Feb 03 '16 at 15:56
  • Excellent, I think it fullfils my question. I will follow that road further. Thank you. – mastier Feb 03 '16 at 16:30