Making GET requests instead of redirects in Spotify OAuth with Flask

miar · August 28, 2025, 11:18pm

I have a working Flask app that handles Spotify OAuth authentication. The current implementation redirects users to Spotify’s authorization URL and everything works fine. But I want to change how it works.

from flask import Flask, request, redirect, jsonify
import requests
import urllib.parse
import base64

app = Flask(__name__)
app.secret_key = 'my_secret_key'

SPOTIFY_AUTH_URL = 'https://accounts.spotify.com/authorize'
SPOTIFY_TOKEN_URL = 'https://accounts.spotify.com/api/token'

APP_ID = 'your_app_id'
APP_SECRET = 'your_app_secret'
CALLBACK_URL = 'http://localhost:5000/auth_callback'

@app.route('/')
def index():
    return "Welcome <a href='/authorize'>Login with Spotify</a>"

@app.route('/authorize')
def authorize():
    permissions = 'user-read-private user-read-email'
    query_params = {
        'client_id': APP_ID,
        'response_type': 'code',
        'redirect_uri': CALLBACK_URL,
        'scope': permissions,
        'show_dialog': True
    }
    
    spotify_auth_url = f"{SPOTIFY_AUTH_URL}?{urllib.parse.urlencode(query_params)}"
    return redirect(spotify_auth_url)

@app.route('/auth_callback')
def auth_callback():
    if 'error' in request.args:
        return jsonify({'error': request.args['error']})
    
    auth_code = request.args.get('code')
    if not auth_code:
        return jsonify({'error': 'Missing authorization code'})
    
    # Encode credentials
    credentials = base64.b64encode(
        f"{APP_ID}:{APP_SECRET}".encode()
    ).decode()
    
    request_headers = {
        'Authorization': f'Basic {credentials}',
        'Content-Type': 'application/x-www-form-urlencoded'
    }
    
    token_data = {
        'grant_type': 'authorization_code',
        'code': auth_code,
        'redirect_uri': CALLBACK_URL
    }
    
    try:
        token_response = requests.post(SPOTIFY_TOKEN_URL, headers=request_headers, data=token_data)
        token_response.raise_for_status()
        return jsonify(token_response.json())
    except requests.exceptions.RequestException as error:
        return jsonify({
            'error': 'Token request failed',
            'message': str(error)
        }), 500

if __name__ == '__main__':
    app.run(port=5000, debug=True)

My problem is that instead of redirecting users to the authorization URL, I want to make a GET request to it and handle the response in my callback route. When I try this approach, I can receive the authorization code but I get authentication errors when trying to exchange it for an access token. Is this a limitation built into Spotify’s OAuth system or am I missing something in my implementation? I’m using the authorization code flow for this.

Finn_Mystery · September 4, 2025, 7:15am

This is how OAuth 2.0 authorization code flow works - users have to interact directly with Spotify’s auth interface. You redirect them to the authorization URL so they can enter their credentials and approve your app’s permissions. Making a programmatic GET request won’t work because the auth code is tied to that specific user session from the redirect. For user data, you’ve got to use the redirect method you already set up. If you need automation, look into Client Credentials flow, but that only gives you app-level access, not user-specific data.

henryg · September 4, 2025, 5:48am

this wont work coz oauth needs user consent via browser redirects. when you do a direct get request, spotify dont see the user actually approving your apps permissions. the auth code you get back is useless since it wasnt generated through proper user interaction. stick with redirects - thats not a bug, its a security feature.

jade_journey · September 2, 2025, 4:44am

You’re hitting a fundamental OAuth security feature. When you make a direct GET request instead of redirecting the user, you break the session flow Spotify expects.

The authorization code gets tied to the original redirect session. Try to intercept it programmatically and Spotify’s servers detect the mismatch and reject your token exchange.

But automation can still help. Instead of hacking around OAuth flows, automate everything that happens after the user authorizes your app.

I’ve handled similar scenarios by setting up automated workflows that trigger once I get the access token. The user still does the initial auth dance, but everything else runs on autopilot.

Latenode makes this smooth. You can create workflows that automatically refresh tokens, sync user data, trigger API calls based on schedules or webhooks, and handle all the downstream automation you probably want with that Spotify data anyway.

Keep your current redirect flow for initial auth, but let automation handle everything else. Way cleaner than fighting OAuth protocols.

ExcitedGamer85 · September 1, 2025, 1:42am

This happens because of browser security, not OAuth requirements. When you make a server-side GET request to Spotify’s auth endpoint, you’re completely bypassing the user’s browser session. Spotify expects the authorization code to come from the same browser session that started the auth flow.

I ran into this exact issue building a music analytics tool. The authorization code has session-specific data that only works when it comes from the right browser context. Direct requests break that connection between the session that created the code and the one trying to use it.

Your redirect approach is actually correct. OAuth requires user interaction through their browser for security - it prevents unauthorized access and makes sure users actually consent to permissions. If you want less friction, implement token refresh logic to cut down on re-authentication instead of trying to bypass the flow.