Seeing that, my hypothesis is that I gave Spotify access to a 3rd party app way back (maybe a Sonos sound system at a rental house, maybe the Uber app) that has been using my token to play music without my explicit consent… and there is no way for me to revoke those tokens.
This is really disappointing from the Spotify team, but if I'm being honest with myself that's fairly par for the course.
defaults write com.spotify NSAppSleepDisabled -bool YES @thelinmichael Guys wake up!!!!!! How can you implement an OAuth 2.0 without the ability to revoke access? I mean HOW DARE YOU?
Fix this ASAP
Yelling isn't productive and it's not going to solve anything. You can totally communicate your frustration without resorting to raising your voice. If anything, making people that distressed is only counterintuitive and counterproductive.
I strongly disagree, I wish it weren't so, but as a matter of fact getting actively frustrated and asking to be escalated to a manager when on the phone with customer-service representative is the only way I've successfully gotten anything resolved as an insignificant customer of a large co. Personally, I detest the waste of emotional energy that involves and particularly abhor contacting customer service for exactly that reason.
edit: For the people down-voting: whether you like it or not is frankly irrelevant. This is in fact my real experience when dealing with the customer-service for any number of banks, cable, mobile providers, flight/hotel booking sites, rental agencies etc.
IMO it's certainly better then facebook's undisposable position where you are never deleting your account and every service that uses facebook serves as a mechanism for creating, reactivating, or connecting, with that one account. As a subscription service Spotify should probably make it easier to switch between subscription tiers, but I'm happy enough with the company to at least defend them a little bit :-P.
I also noticed, for instance, that a LinkedIn app developer cannot rotate API Keys used to access LinkedIn's service. Again, the solution is to delete the app & restart. :/
Once you start building something at scale, it's harder to revoke tokens instantly. You still need to validate the token on each request, you need to build a highly available, fault tolerant system that can scale with the load of the rest of your application. Usually to reduce this load and improve performance, you'll see two strategies to deal with it:
Caching - check for the access token on the first request, and cache the access token for a certain period of time.
Signed / Encrypted tokens - JWTs are one example. The token contains the user ID, expiration, and other info, and is signed / encrypted. A server can read this, and knowing the signing key, verify the token.
However, if you revoke one of these tokens, it's not instant. A centralized store won't update any of the caches, and a Signed / Encrypted token lives on the client. So for token revocation, you now need to create a cache invalidation scheme, or maintain a blacklist of signed tokens.
While it's still not that hard, it'd hard enough that most teams would rather work on a new feature or something else that's on fire than figuring out token revocation.
To be a cache, it needs an invalidation scheme already.
Also, no one is asking for "instant" consistency on revoking a token, but at least "eventual consistency".
IMO every auth key should always be hashed with your password (or its hash) - changing your password should automatically revoke every auth key even if you don't do it manually.
I found that until I did the above I could not remove my friend's Denon receiver from the list of devices.