Allow direct OAuth2 Authentication

[vhaudiquet]

Is your feature request related to a problem? Please describe.
I have previously obtained an OAuth2 Spotify access token, and would like to use that to authenticate librespot 'Session'.
I'm building an android app and using the official Spotify Auth library, so that the user does not give me his credentials directly.

Describe the solution you'd like
Either make private Authentication.LoginCredentials loginCredentials public, or make a setter, so that i can directly set the LoginCredentials object ; or make an oauthToken() method in builder that constructs the loginCredentials object (i.e. what the FacebookAuthenticator does) from an access token.

Describe alternatives you've considered

Additional context
I think this would also allow users of the library to go arround the maybe broken Facebook login implementation (i saw an issue on that and a PR that was not yet merged) ; they could, if they really need to, implement OAuth2 directly to connect with Facebook (what i did in my app, using okhttpclient, using authorization code flow, requesting access and refresh token.

[devgianlu]

I think that tokens from the official API are not compatible with the internal APIs used here. Also have you looked at librespot-android?

[vhaudiquet]

In your pull request (2757273) you seem to be implementing the exact same auth flow i did implement successfully to get my token. However instead of starting the flow with 'facebook connection' window, i started it with the official api window ; this is the only difference (i think).
(here is a link to my implementation if you want to check : https://github.com/vhaudiquet/BladePlayer/blob/master/app/src/main/java/v/blade/sources/spotify/Spotify.java)

I did look at librespot-android, yes ; in fact it is what inspired me to build a new version of my music player (Blade Player), because of how great librespot-java seems to be compared to the old spotify sdk i was using before. However, in librespot-android, you authenticate directly using user/pass, and some users could legitimately think that i'm trying to steal their credentials (i could send them to a server of mine + the spotify one), which is precisely why stuff like OAuth2 exists.

[devgianlu]

In your pull request (2757273) you seem to be implementing the exact same auth flow i did implement successfully to get my token. However instead of starting the flow with 'facebook connection' window, i started it with the official api window ; this is the only difference (i think).

Exactly, but #356 is broken all will not allow you to authenticate.

[vhaudiquet]

Oh ; but you say in the last commit :

Currently broken, the token endpoint returns 400. The client-token header may be the culprit.

I'm successfully obtaining a token, i believe ; so the endpoint is not an issue for me.
The issue would be passing that token to librespot, which i can not do because there is no external interface to do that.
But maybe something else is broken after token obtention ?

EDIT : My bad, this was the first commit, not the last one...
So what else is broken and makes it impossible to login ?
Is it the Authentication.LoginCredentials.newBuilder().setAuthData(ByteString.copyFrom(credentialsJson.get("access_token").getAsString(), StandardCharsets.UTF_8)) part that is causing problems ? Because Authentication.LoginCredentials seems to be imported from com.spotify, i.e. the official spotify api, so there should be no problem with that ?

EDIT2 : Actually, where does the com.spotify code comes from ? It does not seem to be from the official spotify api, but protobufs files... Is it reversed-engineered spotify protocols/structures ? So the issue would be that these protocols does not support OAuth2 at all, and to be able to play music you absolutely need user+pass ?

[devgianlu]

It is currently not possible to retrieve playlist-read tokens from Facebook/Spotify originated tokens (will return 403, like describe in #370). That scope is mandatory for initializing the mercury connection which we still rely on.

[vhaudiquet]

Alright ; then i guess i have no choice but use user+password authentication.
You can close the issue if you want (or keep it open until spotify changes things ?)

Anyway, thank you for your answers and your great work on librespot :))

By the way, are you talking about those scopes : https://developer.spotify.com/documentation/general/guides/authorization/scopes ? Because there does not seem to be a 'playlist-read' scope documented... Is spotify trying to hide that ? Or is it a completely different kind of token/scope ?

[devgianlu]

Is spotify trying to hide that ? Or is it a completely different kind of token/scope ?

Part of the internal API, not necessary to document it publicly.