The only way to revoke Spotify API tokens is to delete your account
olav.itThis could actually be the source of a bug I (and others) have been experiencing for a while. I'm listening to Spotify when all of a sudden, music pauses and I get a "your account is being used somewhere else". The first few times I actually though it was true, but since then I've tried to "log out from every device" and log in again on one device, only to find the bug happening again 2 minutes later.
Seeing that, my hypothesis is that I gave Spotify access to a 3rd party app way back (maybe a Sonos sound system at a rental house, maybe the Uber app) that has been using my token to play music without my explicit consent… and there is no way for me to revoke those tokens.
I did exactly that (use a Sonos system at a rental and specifically used the "log out of every device") to avoid an issue like this. It's been a couple months and I haven't been logged out yet, but maybe I'm just lucky.
This is really disappointing from the Spotify team, but if I'm being honest with myself that's fairly par for the course.
Do you have two or more MacBooks? Kill app nap for Spotify on all of them:
defaults write com.spotify NSAppSleepDisabled -bool YESMy friend has been having the exact same problem. He's changed his password, logged out of all devices, etc. Still happens.
Official Spotify Web API feature request ticket: https://github.com/spotify/web-api/issues/126
Sometimes I really wonder what people who post stuff like this on issue comments aim to achieve:
I understand the frustration, but they aren't exactly helping the situation.@thelinmichael Guys wake up!!!!!! How can you implement an OAuth 2.0 without the ability to revoke access? I mean HOW DARE YOU? Fix this ASAPIn fairness, that's right about how I feel about the rendering of monospace in HN comments, and how HN commenters continue to use monospace for quoting even knowing how long lines will appear; I'm just a little better at expressing my dissatisfaction.
Same kind of folks who end up yelling at customer service or wait staff for something that's gone wrong.
Yelling isn't productive and it's not going to solve anything. You can totally communicate your frustration without resorting to raising your voice. If anything, making people that distressed is only counterintuitive and counterproductive.
> Same kind of folks who end up yelling at customer service or wait staff for something that's gone wrong. Yelling isn't productive and it's not going to solve anything. You can totally communicate your frustration without resorting to raising your voice. If anything, making people that distressed is only counterintuitive and counterproductive.
I strongly disagree, I wish it weren't so, but as a matter of fact getting actively frustrated and asking to be escalated to a manager when on the phone with customer-service representative is the only way I've successfully gotten anything resolved as an insignificant customer of a large co. Personally, I detest the waste of emotional energy that involves and particularly abhor contacting customer service for exactly that reason.
edit: For the people down-voting: whether you like it or not is frankly irrelevant. This is in fact my real experience when dealing with the customer-service for any number of banks, cable, mobile providers, flight/hotel booking sites, rental agencies etc.
What else have you tried? In my experience, a lot of people say that you have to get abusive to get results, but they only say that because that's all they ever do.
Kindness works much better. You can get stern if the agent is screwing something up themselves (like if they're failing to understand your actual problem, or are giving you irrelevant advice), but even then it comes down to being assertive, not yelling. By all means ask to be escalated to a manager when it's needed, but you can always do so in a calm and professional way.
Being mean motivates them to get rid of you as quickly as possible. Being nice motivates them to reciprocate. The former can work to get problems solved, but the latter works more reliably and produces better results.
When I did customer service, the only people that got compensated were the complainers. The nice people just got their problem resolved but did not get compensated for their troubles. Complainers definitely came out ahead.
It's a loss minimization function right? You want to compensate those most likely to go write a negative review, or make angry social media tweets about you. That's why contrary to what GGGP says I actually think:
Might actually impel some manager to make changes, if only to get rid of the attention from these unpleasant people in social media.@thelinmichael Guys wake up!!!!!! How can you implement an OAuth 2.0 without the ability to revoke access? I mean HOW DARE YOU? Fix this ASAPI've had plenty of unnecessary statement credits and such just being nice. You might have done it that way, but I don't think it's the norm.
Wasn't personal, was company policy. I've been doing customer service for 10 years at various companies. Complainers always win.
Two things:
First of all, there is a fine line between being assertive and aggressive. If you have an issue but aren't assertive with first tier customer support, your attempts may get rebuffed. It's a combination of lack of knowledge (haven't worked there long enough or convoluted rules) and wanting to stay within their working parameters (e.g. accidentally giving promo pricing to someone who doesn't meet the requirements).
In this case, be firm without being an asshole. State your issue with all of the necessary details, what actually happened, what you were expecting to happen, etc. If they can't meet your request, ask for an explanation. If need be, have them explain the policy regarding your issue.
Secondly, the first tier of customer support is generally limited in what they're able to accomplish without some kind of supervisor intervention. If they aren't solving your problem, you don't need to get angry and raise your voice at the low man on the totem pole. If you say, "It seems that you aren't able to take care of my issue. May I please have my call escalated?" That has never failed me before.
In my experience, phone support for most situations is not something that people are lining up to do. They probably hate answering just as much as you hate calling. Aggression can absolutely be avoided.
Remember: You catch more flies with honey than you do with vinegar
If this is your real experience over multiple providers, frankly and with all due respect, I suggest that you consider both your style of communication and specifically how you treat customer support people over the phone.
Spotify, in general, appears to consider accounts disposable. I think I saw something about this getting better recently, but a few months ago the only way to move my paid account to a family subscription was to delete the old account and create new accounts for everyone I wanted in the family plan.
I imagine this comes from the various trial offerings they've had for new customers, including student discounts and family discounts. I myself have gone through ~3 accounts taking advantage of this over the years and I imagine their metrics show a high account churn such that it is not an unreasonable conclusion to view accounts as disposable.
IMO it's certainly better then facebook's undisposable position where you are never deleting your account and every service that uses facebook serves as a mechanism for creating, reactivating, or connecting, with that one account. As a subscription service Spotify should probably make it easier to switch between subscription tiers, but I'm happy enough with the company to at least defend them a little bit :-P.
As a user Facebook's approach seems much better. I can't remember specifically what it was but I recently wanted to make a change to my Spotify account (which I've had since it first launched in the UK in 2009). Support told me the only option was to create a new account. This would have meant losing all of the songs I'd saved over the years, all playlists I'd created, and all playlists I was following. I'd also have to make all of the necessary friend connections again to access playlists I was collaborating on. The worst part is that the 'profile' Spotify has built that makes it's recommendations decent for me would be lost so Discover Weekly and recommendations would suck until it had built a new profile. That's a horrible experience for the user.
Indeed. Some time back (more than one year ago), I contacted support to delink my paid account from Facebook. Their suggestion was to create a new account... and I think they helped with transferring my playlists, then deleted my Facebook-linked account.
I attempted to do exactly the same operation on Google Music and it was even worse. It wouldn't show the option to upgrade to a family plan anywhere. Turns out that signing up for Google Music All Access also gets you YouTube Red, and that YouTube Red subscription has to be deleted before you can upgrade All Access to the family plan (which also gives you a new YouTube Red subscription). It took a conversation with a google support rep to figure this out, and I think someone who is not a programmer would have a harder time understanding this failure mode.
I remember back when they had a limit of minutes per month and I had to create like 5 Facebook accounts to bypass it.
It was pretty effortless for me. I just invited my wife via the email address she had registered and it connected it to the plan. Her account was previously on the free tier so maybe that's why.
Hmm, I just upgraded my ancient account (2008) to the family plan with no troubles.
Which is pretty awful for anyone who signs on with Facebook.
I believe you can login direct to spotify using your fb credals.
I work at Stormpath (an Auth as a Service company) and see stuff like this all the time. It's actually really hard to do token revocation properly; People implement tokens and see revocation as a feature to be implemented "in the future".
I also noticed, for instance, that a LinkedIn app developer cannot rotate API Keys used to access LinkedIn's service. Again, the solution is to delete the app & restart. :/
Would you mind sharing a bit what makes you say it's really hard ?
No problem. It might not seem obvious when you build small-mid size backends, because in that scenario you might have an access token stored in your database that's checked each time someone makes a request. Token revocation is as easy as deleting that access token from your database.
Once you start building something at scale, it's harder to revoke tokens instantly. You still need to validate the token on each request, you need to build a highly available, fault tolerant system that can scale with the load of the rest of your application. Usually to reduce this load and improve performance, you'll see two strategies to deal with it:
Caching - check for the access token on the first request, and cache the access token for a certain period of time.
Signed / Encrypted tokens - JWTs are one example. The token contains the user ID, expiration, and other info, and is signed / encrypted. A server can read this, and knowing the signing key, verify the token.
However, if you revoke one of these tokens, it's not instant. A centralized store won't update any of the caches, and a Signed / Encrypted token lives on the client. So for token revocation, you now need to create a cache invalidation scheme, or maintain a blacklist of signed tokens.
While it's still not that hard, it'd hard enough that most teams would rather work on a new feature or something else that's on fire than figuring out token revocation.
> So for token revocation, you now need to create a cache invalidation scheme
To be a cache, it needs an invalidation scheme already.
Also, no one is asking for "instant" consistency on revoking a token, but at least "eventual consistency".
Yeah, this. I don't care if it takes 24 hours to revoke it across the board, just let me revoke it somehow. Sub-second revocation isn't something that I'm aware of anyone asking for in this instance, and global Cassandra quorum should be on the order of a few seconds for massive data stores. Even with aggressive caching and long TTLs, you could do something with event notification for the rare events in which someone invalidates a token, and get it propagated within seconds around the world.
They manage to distribute your password everywhere don't they?
IMO every auth key should always be hashed with your password (or its hash) - changing your password should automatically revoke every auth key even if you don't do it manually.
When generating auth tokens for Django apps, I've previously put the user's password's salt into the token for this purpose. The salt is not secret and changes whenever the password changes.
Somewhat off-topic but the only way to revoke Spotify Connect access to a device is to change your password, then log out, and back in.
I found that until I did the above I could not remove my friend's Denon receiver from the list of devices.
Actually contacted support on this asking them to revoke all tokens - they responded I'd have to create a new account to remove the facebook integration ...cause that's what I asked for, after another 2 emails back and forth I just gave up
I really hope we move past a model where a company both needs good lawyers, to get the licensing deal with the record companies, and a good software team, to get the app right. I really hope an intermediate layer arises, such that talented app developers can write good streaming music apps without needing to talk to the RIAA first, but rather by just purchasing access to the content through some "music wholesale" service.
Delete your account!
Ok so the lesson here is be really careful where you allow API access using your keys.
I think the lesson is that you only have to trick people into authorizing your malicious app once.
Which makes a mockery of their advertising showing music everywhere easily.