
The only way to revoke Spotify API tokens is to delete your account - oal
https://olav.it/post/spotify-third-party-access/
======
cissou
This could actually be the source of a bug I (and others) have been
experiencing for a while. I'm listening to Spotify when all of a sudden, music
pauses and I get a "your account is being used somewhere else". The first few
times I actually though it was true, but since then I've tried to "log out
from every device" and log in again on one device, only to find the bug
happening again 2 minutes later.

Seeing that, my hypothesis is that I gave Spotify access to a 3rd party app
way back (maybe a Sonos sound system at a rental house, maybe the Uber app)
that has been using my token to play music without my explicit consent… and
there is no way for me to revoke those tokens.

~~~
rorosaurus
I did exactly that (use a Sonos system at a rental and specifically used the
"log out of every device") to avoid an issue like this. It's been a couple
months and I haven't been logged out yet, but maybe I'm just lucky.

This is really disappointing from the Spotify team, but if I'm being honest
with myself that's fairly par for the course.

------
daegloe
Official Spotify Web API feature request ticket:
[https://github.com/spotify/web-
api/issues/126](https://github.com/spotify/web-api/issues/126)

~~~
petetnt
Sometimes I really wonder what people who post stuff like this on issue
comments aim to achieve:

    
    
      @thelinmichael Guys wake up!!!!!! How can you implement an OAuth 2.0 without the ability to revoke access? I mean HOW DARE YOU?
    
      Fix this ASAP
    

I understand the frustration, but they aren't exactly helping the situation.

~~~
BlackjackCF
Same kind of folks who end up yelling at customer service or wait staff for
something that's gone wrong.

Yelling isn't productive and it's not going to solve anything. You can totally
communicate your frustration without resorting to raising your voice. If
anything, making people that distressed is only counterintuitive and
counterproductive.

~~~
forgotpwtomain
> Same kind of folks who end up yelling at customer service or wait staff for
> something that's gone wrong. Yelling isn't productive and it's not going to
> solve anything. You can totally communicate your frustration without
> resorting to raising your voice. If anything, making people that distressed
> is only counterintuitive and counterproductive.

I strongly disagree, I wish it weren't so, but as a matter of fact getting
actively frustrated and asking to be escalated to a manager when on the phone
with customer-service representative is the only way I've successfully gotten
anything resolved as an insignificant customer of a large co. Personally, I
detest the waste of emotional energy that involves and particularly abhor
contacting customer service for exactly that reason.

edit: For the people down-voting: whether you like it or not is frankly
irrelevant. This is in fact _my real experience_ when dealing with the
customer-service for any number of banks, cable, mobile providers,
flight/hotel booking sites, rental agencies etc.

~~~
mikeash
What else have you tried? In my experience, a lot of people say that you have
to get abusive to get results, but they only say that because that's all they
ever do.

Kindness works _much_ better. You can get stern if the agent is screwing
something up themselves (like if they're failing to understand your actual
problem, or are giving you irrelevant advice), but even then it comes down to
being assertive, not yelling. By all means ask to be escalated to a manager
when it's needed, but you can always do so in a calm and professional way.

Being mean motivates them to get rid of you as quickly as possible. Being nice
motivates them to reciprocate. The former can work to get problems solved, but
the latter works more reliably and produces better results.

~~~
bitJericho
When I did customer service, the only people that got compensated were the
complainers. The nice people just got their problem resolved but did not get
compensated for their troubles. Complainers definitely came out ahead.

~~~
mikeash
I've had plenty of unnecessary statement credits and such just being nice. You
might have done it that way, but I don't think it's the norm.

~~~
bitJericho
Wasn't personal, was company policy. I've been doing customer service for 10
years at various companies. Complainers always win.

------
dangerlibrary
Spotify, in general, appears to consider accounts disposable. I think I saw
something about this getting better recently, but a few months ago the only
way to move my paid account to a family subscription was to delete the old
account and create new accounts for everyone I wanted in the family plan.

~~~
ben_jones
I imagine this comes from the various trial offerings they've had for new
customers, including student discounts and family discounts. I myself have
gone through ~3 accounts taking advantage of this over the years and I imagine
their metrics show a high account churn such that it is not an unreasonable
conclusion to view accounts as disposable.

IMO it's certainly better then facebook's undisposable position where you are
never deleting your account and every service that uses facebook serves as a
mechanism for creating, reactivating, or connecting, with that one account. As
a subscription service Spotify should probably make it easier to switch
between subscription tiers, but I'm happy enough with the company to at least
defend them a little bit :-P.

~~~
k-mcgrady
As a user Facebook's approach seems much better. I can't remember specifically
what it was but I recently wanted to make a change to my Spotify account
(which I've had since it first launched in the UK in 2009). Support told me
the only option was to create a new account. This would have meant losing all
of the songs I'd saved over the years, all playlists I'd created, and all
playlists I was following. I'd also have to make all of the necessary friend
connections again to access playlists I was collaborating on. The worst part
is that the 'profile' Spotify has built that makes it's recommendations decent
for me would be lost so Discover Weekly and recommendations would suck until
it had built a new profile. That's a horrible experience for the user.

------
EdJiang
I work at Stormpath (an Auth as a Service company) and see stuff like this all
the time. It's actually really hard to do token revocation properly; People
implement tokens and see revocation as a feature to be implemented "in the
future".

I also noticed, for instance, that a LinkedIn app developer cannot rotate API
Keys used to access LinkedIn's service. Again, the solution is to delete the
app & restart. :/

~~~
yoo1I
Would you mind sharing a bit what makes you say it's really hard ?

~~~
EdJiang
No problem. It might not seem obvious when you build small-mid size backends,
because in that scenario you might have an access token stored in your
database that's checked each time someone makes a request. Token revocation is
as easy as deleting that access token from your database.

Once you start building something at scale, it's harder to revoke tokens
instantly. You still need to validate the token on each request, you need to
build a highly available, fault tolerant system that can scale with the load
of the rest of your application. Usually to reduce this load and improve
performance, you'll see two strategies to deal with it:

Caching - check for the access token on the first request, and cache the
access token for a certain period of time.

Signed / Encrypted tokens - JWTs are one example. The token contains the user
ID, expiration, and other info, and is signed / encrypted. A server can read
this, and knowing the signing key, verify the token.

However, if you revoke one of these tokens, it's not instant. A centralized
store won't update any of the caches, and a Signed / Encrypted token lives on
the client. So for token revocation, you now need to create a cache
invalidation scheme, or maintain a blacklist of signed tokens.

While it's still not that hard, it'd hard enough that most teams would rather
work on a new feature or something else that's on fire than figuring out token
revocation.

~~~
acchow
> So for token revocation, you now need to create a cache invalidation scheme

To be a cache, it needs an invalidation scheme already.

Also, no one is asking for "instant" consistency on revoking a token, but at
least "eventual consistency".

~~~
seanp2k2
Yeah, this. I don't care if it takes 24 hours to revoke it across the board,
just let me revoke it somehow. Sub-second revocation isn't something that I'm
aware of anyone asking for in this instance, and global Cassandra quorum
should be on the order of a few seconds for massive data stores. Even with
aggressive caching and long TTLs, you could do something with event
notification for the rare events in which someone invalidates a token, and get
it propagated within seconds around the world.

------
frogpelt
Somewhat off-topic but the only way to revoke Spotify Connect access to a
device is to change your password, then log out, and back in.

I found that until I did the above I could not remove my friend's Denon
receiver from the list of devices.

------
iMerNibor
Actually contacted support on this asking them to revoke all tokens - they
responded I'd have to create a new account to remove the facebook integration
...cause that's what I asked for, after another 2 emails back and forth I just
gave up

------
runeks
I really hope we move past a model where a company both needs good lawyers, to
get the licensing deal with the record companies, and a good software team, to
get the app right. I really hope an intermediate layer arises, such that
talented app developers can write good streaming music apps without needing to
talk to the RIAA first, but rather by just purchasing access to the content
through some "music wholesale" service.

------
josephby
Delete your account!

------
flippyhead
Ok so the lesson here is be really careful where you allow API access using
your keys.

~~~
x1798DE
I think the lesson is that you only have to trick people into authorizing your
malicious app once.

