Misleading “Explicit user authorization is required” error when app fingerprint is outdated

[RemyRM]

Description

When using the Spotify Android SDK (spotify/android-auth) to authorize an app for use with App Remote, the SDK returns the following error if the app is not authorized:

Explicit user authorization is required to use Spotify. The user has to complete the auth-flow to allow the app to use Spotify on their behalf.

However, this same error is also thrown in a different scenario:
when the user has successfully completed the authorization flow, but the app’s fingerprint in the Spotify Developer Dashboard is outdated or incorrect.

This leads to a confusing situation where:

• The user is redirected to the Spotify authorization screen.
• The authorization callback is successfully invoked.
• The app appears under Connected Apps in the user’s Spotify account.
• Yet the SDK still reports that explicit authorization is required.

Because the fingerprint mismatch prevents Spotify from reporting the authorization result back to the app, the SDK surfaces the same error as if the user had never authorized at all. This makes the root cause difficult to diagnose, especially since fingerprints are typically configured early in a project and may change later (e.g., when adding a signing configuration).

Expected Behavior

A clearer or more specific error message when the authorization cannot be validated due to a fingerprint mismatch, or an extra note in the existing error message that this could be due to invalid fingerprint.

“Authorization failed: app fingerprint does not match the configuration in the Spotify Developer Dashboard.”

or

“Authorization could not be verified. This may be caused by an outdated or incorrect app fingerprint.”

or

"Explicit user authorization is required to use Spotify. The user has to complete the auth-flow to allow the app to use Spotify on their behalf. This could be due to an invalid app fingerprint"

…would make this issue significantly easier to debug.

Actual Behavior

The SDK reports:

Explicit user authorization is required to use Spotify. The user has to complete the auth-flow to allow the app to use Spotify on their behalf.

This message implies the user did not authorize the app, even though the authorization flow completed successfully and the app appears in the user’s connected apps list.

Steps to Reproduce

1. Create a template Android app using the spotify/android-auth library.
2. Generate a signing certificate fingerprint and add it to the Spotify Developer Dashboard.
3. Implement the authorization flow and confirm that authorization works correctly.
4. Modify your app’s signing configuration (e.g., add a signature), causing the fingerprint to change.
5. Revoke the app’s authorization from your Spotify account (Connected Apps).
6. Attempt to authorize again.

Result:
The authorization UI appears and completes successfully, but the SDK reports the “Explicit user authorization is required” error.

Environment

• Spotify Android Auth Library: 3.0.0 and 2.1.2

Additional Notes

This issue is not strictly a bug, but the current error message is misleading and makes the underlying problem difficult to diagnose. Improving the error message—or adding a hint that fingerprint mismatch may be involved—would help developers avoid unnecessary debugging time.