Missing scope in token responses

[jingw222]

I can't seem to request a client token and this is the error message. Is that due to some API changes cause it did work previously.

cred = tk.Credentials(
    client_id=CLIENT_ID,
    client_secret=CLIENT_SECRET,
    redirect_uri=REDIRECT_URI,
)
cred.request_client_token()

---------------------------------------------------------------------------
KeyError                                  Traceback (most recent call last)
<ipython-input-7-16b2a7dae391> in <module>
----> 1 cred.request_client_token()

~/.pyenv/versions/3.7.5/envs/spolarfy/lib/python3.7/site-packages/tekore/_sender/client.py in wrapper(self, *args, **kwargs)
     77 
     78             response = self.send(request)
---> 79             return post_func(request, response, *params)
     80         return wrapper
     81     return decorator

~/.pyenv/versions/3.7.5/envs/spolarfy/lib/python3.7/site-packages/tekore/_auth/expiring/decor.py in func(request, response)
     28         """Parse token object from response."""
     29         handle_errors(request, response)
---> 30         return Token(response.content, uses_pkce)
     31     return func
     32 

~/.pyenv/versions/3.7.5/envs/spolarfy/lib/python3.7/site-packages/tekore/_auth/expiring/token.py in __init__(self, token_info, uses_pkce)
     37         self._token_type = token_info['token_type']
     38 
---> 39         self._scope = Scope(*token_info['scope'].split(' '))
     40         if str(self._scope) == '':
     41             self._scope = Scope()

KeyError: 'scope'

[deniseismo]

I have the exact same issue. I've been getting this error since yesterday.

def get_spotify_tekore_client():
    client_id = current_app.config['SPOTIFY_CLIENT_ID']
    client_secret = current_app.config['SPOTIFY_CLIENT_SECRET']

    app_token = tk.request_client_token(
        client_id=client_id, client_secret=client_secret)
    spotify_tekore_client = tk.Spotify(app_token)
    return spotify_tekore_client

~\venv\lib\site-packages\tekore\_auth\util.py", line 204, in request_client_token
    return cred.request_client_token()

  ~\venv\lib\site-packages\tekore\_auth\refreshing.py", line 148, in request_client_token    
    token = self._client.request_client_token()

  ~\venv\lib\site-packages\tekore\_sender\client.py", line 79, in wrapper
    return post_func(request, response, *params)

  ~\venv\lib\site-packages\tekore\_auth\expiring\decor.py", line 30, in func
    return Token(response.content, uses_pkce)

  ~\venv\lib\site-packages\tekore\_auth\expiring\token.py", line 39, in __init__
    self._scope = Scope(*token_info['scope'].split(' '))
KeyError: 'scope'

I wonder if it's something Spotify has changed. It's been working for quite some time, and I haven't touched the script at all.

[felix-hilden]

Yeah, a bunch of our tests broke this morning too... Thanks for reporting this! I hope - as I've done with many of these kinds if issues that it's simply a temporary issue with Spotify. In the event that it's not, we'll fix it.

I'm available in 36 hours. Any further info is appreciated! It's a shame this issue affects so much.

[TrustyJAID]

Hello, I did some light digging into this issue. It appears that user authorization is not affected by this only accessing the spotify API via the owners API tokens. The refresh token does not return the scope in the payload. I don't know how much that is necessary but checking if the scope is present in the payload before fixed the error for myself. Although the only time I was using the owners credentials was accessing available genres. This is what I changed:

# in _auth/expiring/token.py
def __init__(self, token_info: dict, uses_pkce: bool):
        self._access_token = token_info['access_token']
        self._token_type = token_info['token_type']
        
        self._scope = Scope(*token_info.get('scope', '').split(' '))
        if str(self._scope) == '':
            self._scope = Scope()

[felix-hilden]

Much appreciated @TrustyJAID!

Reading the Authorisation Guide of Spotify, I see no mention of scopes in the client creds flow, though I can't remember whether or not it has been there. The fix would be simple, but there is one complication. It seems that user authorisation without any scopes results in the scope missing from the response as well. So we can't take this to mean "the scope of an app token has been removed because it means nothing". Rather it could mean that "empty scopes are not returned".

I think here's what we'll do:

• Open up an issue on the Spotify forums asking about this (link)
• In the meantime allow missing scopes in the response, but parse them as before, to empty Scope objects
• Release the fix as a temporary solution
• Monitor the issue and possibly change the behavior to fit the true intention of Spotify. Meaning that if they are always missing, leave app scope missing but parse user scope to empty, and so on.

[felix-hilden]

A new version has now been released with the fix!

I'll leave this issue open for now, and we'll see what Spotify has to say.