The only way to revoke Spotify API tokens is to delete your account (opens in new tab)

(olav.it)

140 pointsoal9y ago40 comments

40 comments

This could actually be the source of a bug I (and others) have been experiencing for a while. I'm listening to Spotify when all of a sudden, music pauses and I get a "your account is being used somewhere else". The first few times I actually though it was true, but since then I've tried to "log out from every device" and log in again on one device, only to find the bug happening again 2 minutes later.

Seeing that, my hypothesis is that I gave Spotify access to a 3rd party app way back (maybe a Sonos sound system at a rental house, maybe the Uber app) that has been using my token to play music without my explicit consent… and there is no way for me to revoke those tokens.

rorosaurus9y ago

I did exactly that (use a Sonos system at a rental and specifically used the "log out of every device") to avoid an issue like this. It's been a couple months and I haven't been logged out yet, but maybe I'm just lucky.

This is really disappointing from the Spotify team, but if I'm being honest with myself that's fairly par for the course.

chris_79y ago

Do you have two or more MacBooks? Kill app nap for Spotify on all of them:

    defaults write com.spotify NSAppSleepDisabled -bool YES

hrrsn9y ago

My friend has been having the exact same problem. He's changed his password, logged out of all devices, etc. Still happens.

daegloe9y ago

Official Spotify Web API feature request ticket: https://github.com/spotify/web-api/issues/126

petetnt9y ago

Sometimes I really wonder what people who post stuff like this on issue comments aim to achieve:

  @thelinmichael Guys wake up!!!!!! How can you implement an OAuth 2.0 without the ability to revoke access? I mean HOW DARE YOU?

  Fix this ASAP

I understand the frustration, but they aren't exactly helping the situation.

SilasX9y ago

In fairness, that's right about how I feel about the rendering of monospace in HN comments, and how HN commenters continue to use monospace for quoting even knowing how long lines will appear; I'm just a little better at expressing my dissatisfaction.

BlackjackCF9y ago

Same kind of folks who end up yelling at customer service or wait staff for something that's gone wrong.

Yelling isn't productive and it's not going to solve anything. You can totally communicate your frustration without resorting to raising your voice. If anything, making people that distressed is only counterintuitive and counterproductive.

1 more reply

dangerlibrary9y ago

Spotify, in general, appears to consider accounts disposable. I think I saw something about this getting better recently, but a few months ago the only way to move my paid account to a family subscription was to delete the old account and create new accounts for everyone I wanted in the family plan.

ben_jones9y ago

I imagine this comes from the various trial offerings they've had for new customers, including student discounts and family discounts. I myself have gone through ~3 accounts taking advantage of this over the years and I imagine their metrics show a high account churn such that it is not an unreasonable conclusion to view accounts as disposable.

IMO it's certainly better then facebook's undisposable position where you are never deleting your account and every service that uses facebook serves as a mechanism for creating, reactivating, or connecting, with that one account. As a subscription service Spotify should probably make it easier to switch between subscription tiers, but I'm happy enough with the company to at least defend them a little bit :-P.

k-mcgrady9y ago

As a user Facebook's approach seems much better. I can't remember specifically what it was but I recently wanted to make a change to my Spotify account (which I've had since it first launched in the UK in 2009). Support told me the only option was to create a new account. This would have meant losing all of the songs I'd saved over the years, all playlists I'd created, and all playlists I was following. I'd also have to make all of the necessary friend connections again to access playlists I was collaborating on. The worst part is that the 'profile' Spotify has built that makes it's recommendations decent for me would be lost so Discover Weekly and recommendations would suck until it had built a new profile. That's a horrible experience for the user.

lyonlim9y ago

Indeed. Some time back (more than one year ago), I contacted support to delink my paid account from Facebook. Their suggestion was to create a new account... and I think they helped with transferring my playlists, then deleted my Facebook-linked account.

y46ukgrc2n69y ago

I attempted to do exactly the same operation on Google Music and it was even worse. It wouldn't show the option to upgrade to a family plan anywhere. Turns out that signing up for Google Music All Access also gets you YouTube Red, and that YouTube Red subscription has to be deleted before you can upgrade All Access to the family plan (which also gives you a new YouTube Red subscription). It took a conversation with a google support rep to figure this out, and I think someone who is not a programmer would have a harder time understanding this failure mode.

cocotino9y ago

I remember back when they had a limit of minutes per month and I had to create like 5 Facebook accounts to bypass it.

TarpitCarnivore9y ago

It was pretty effortless for me. I just invited my wife via the email address she had registered and it connected it to the plan. Her account was previously on the free tier so maybe that's why.

melvinmt9y ago

Hmm, I just upgraded my ancient account (2008) to the family plan with no troubles.

skykooler9y ago

Which is pretty awful for anyone who signs on with Facebook.

tekromancr9y ago

I believe you can login direct to spotify using your fb credals.

EdJiang9y ago

I work at Stormpath (an Auth as a Service company) and see stuff like this all the time. It's actually really hard to do token revocation properly; People implement tokens and see revocation as a feature to be implemented "in the future".

I also noticed, for instance, that a LinkedIn app developer cannot rotate API Keys used to access LinkedIn's service. Again, the solution is to delete the app & restart. :/

yoo1I9y ago

Would you mind sharing a bit what makes you say it's really hard ?

EdJiang9y ago

No problem. It might not seem obvious when you build small-mid size backends, because in that scenario you might have an access token stored in your database that's checked each time someone makes a request. Token revocation is as easy as deleting that access token from your database.

Once you start building something at scale, it's harder to revoke tokens instantly. You still need to validate the token on each request, you need to build a highly available, fault tolerant system that can scale with the load of the rest of your application. Usually to reduce this load and improve performance, you'll see two strategies to deal with it:

Caching - check for the access token on the first request, and cache the access token for a certain period of time.

Signed / Encrypted tokens - JWTs are one example. The token contains the user ID, expiration, and other info, and is signed / encrypted. A server can read this, and knowing the signing key, verify the token.

However, if you revoke one of these tokens, it's not instant. A centralized store won't update any of the caches, and a Signed / Encrypted token lives on the client. So for token revocation, you now need to create a cache invalidation scheme, or maintain a blacklist of signed tokens.

While it's still not that hard, it'd hard enough that most teams would rather work on a new feature or something else that's on fire than figuring out token revocation.

2 more replies

frogpelt9y ago

Somewhat off-topic but the only way to revoke Spotify Connect access to a device is to change your password, then log out, and back in.

I found that until I did the above I could not remove my friend's Denon receiver from the list of devices.

iMerNibor9y ago

Actually contacted support on this asking them to revoke all tokens - they responded I'd have to create a new account to remove the facebook integration ...cause that's what I asked for, after another 2 emails back and forth I just gave up

runeks9y ago

I really hope we move past a model where a company both needs good lawyers, to get the licensing deal with the record companies, and a good software team, to get the app right. I really hope an intermediate layer arises, such that talented app developers can write good streaming music apps without needing to talk to the RIAA first, but rather by just purchasing access to the content through some "music wholesale" service.

josephby9y ago

Delete your account!

flippyhead9y ago

Ok so the lesson here is be really careful where you allow API access using your keys.

x1798DE9y ago

I think the lesson is that you only have to trick people into authorizing your malicious app once.

lostlogin9y ago

Which makes a mockery of their advertising showing music everywhere easily.

j / k navigate · click thread line to collapse

40 comments

cissou9y ago

rorosaurus9y ago

This is really disappointing from the Spotify team, but if I'm being honest with myself that's fairly par for the course.

chris_79y ago

Do you have two or more MacBooks? Kill app nap for Spotify on all of them:

    defaults write com.spotify NSAppSleepDisabled -bool YES

hrrsn9y ago

My friend has been having the exact same problem. He's changed his password, logged out of all devices, etc. Still happens.

daegloe9y ago

Official Spotify Web API feature request ticket: https://github.com/spotify/web-api/issues/126

petetnt9y ago

Sometimes I really wonder what people who post stuff like this on issue comments aim to achieve:

  @thelinmichael Guys wake up!!!!!! How can you implement an OAuth 2.0 without the ability to revoke access? I mean HOW DARE YOU?

  Fix this ASAP

I understand the frustration, but they aren't exactly helping the situation.

SilasX9y ago

BlackjackCF9y ago

Same kind of folks who end up yelling at customer service or wait staff for something that's gone wrong.

1 more reply

dangerlibrary9y ago

ben_jones9y ago

k-mcgrady9y ago

lyonlim9y ago

y46ukgrc2n69y ago

cocotino9y ago

I remember back when they had a limit of minutes per month and I had to create like 5 Facebook accounts to bypass it.

TarpitCarnivore9y ago

It was pretty effortless for me. I just invited my wife via the email address she had registered and it connected it to the plan. Her account was previously on the free tier so maybe that's why.

melvinmt9y ago

Hmm, I just upgraded my ancient account (2008) to the family plan with no troubles.

skykooler9y ago

Which is pretty awful for anyone who signs on with Facebook.

tekromancr9y ago

I believe you can login direct to spotify using your fb credals.

EdJiang9y ago

I also noticed, for instance, that a LinkedIn app developer cannot rotate API Keys used to access LinkedIn's service. Again, the solution is to delete the app & restart. :/

yoo1I9y ago

Would you mind sharing a bit what makes you say it's really hard ?

EdJiang9y ago

Caching - check for the access token on the first request, and cache the access token for a certain period of time.

While it's still not that hard, it'd hard enough that most teams would rather work on a new feature or something else that's on fire than figuring out token revocation.

2 more replies

frogpelt9y ago

Somewhat off-topic but the only way to revoke Spotify Connect access to a device is to change your password, then log out, and back in.

I found that until I did the above I could not remove my friend's Denon receiver from the list of devices.

iMerNibor9y ago

runeks9y ago

josephby9y ago

Delete your account!

flippyhead9y ago

Ok so the lesson here is be really careful where you allow API access using your keys.

x1798DE9y ago

I think the lesson is that you only have to trick people into authorizing your malicious app once.

lostlogin9y ago

Which makes a mockery of their advertising showing music everywhere easily.

j / k navigate · click thread line to collapse