SONOS auth token is not being sent in Authorization HTTP header for CQ API calls
I followed the Sonos docs for adding app authentication and the page for using authentication tokens and the result is that the SMAPI server correctly returns an authToken together with a privateKey back to the controller. I can see the authToken being present in the credentials header inside the SOAP messages sent to my SMAPI server.
However, despite the many mentions of this inside the Sonos docs pages related to HTTP requests (I will list the resources links down below), the same authToken is not being sent inside the HTTP header Authorization, this making my CQ server unable to validate requester identity.
I tried the following, without success:
checking "Requires authorization header" capability in the customsd page of my Sonos device (I tried this because the docs page about capabilities precisely indicates that checking this "Sends OAuth token in the HTTP Authorization header.")
identifying some correlation between the "X-Sonos-" prefix HTTP headers used when the controller sends SOAP messages to my SMAPI server and the "X-Sonos-" prefix HTTP headers used when the device sends HTTP requests to my CQ server (eventually, I could not find any information that would identify the user based on this)
From Sonos device:
X-Sonos-Playback-Id: RINCON_48??????D201400:3165321802 <= deviceId inserted after RINCON_
X-Sonos-Device-Id: Sonos_U????????????????????????6 <= householdId
X-Sonos-Corr-Id: 267e3e0c-75ca-4b9d-8be4-b8a795a462a3 <= unique each time
From macOS Controller:
X-Sonos-Controller-ID: 68:??:??:??:??:07 <= the same each time
X-Sonos-Api-Key: 8??????e-7??7-4??f-b??6-7??????????0 <= the same each time
X-Sonos-Corr-Id: 648ec896-e043-44f8-bfba-cd0a80c9d857 <= unique each time
- checking both "Include SMAPI context headers with all requests" and "Include Zone Player IDs in credentials header" capabilities in the customsd page of my Sonos device (I tried this following the answer to this sonos tagged stackoverflow question Now that device ID is deprecated, is there another way to identify the client?)
The docs links I mentioned above that refer the presence of the auth token inside the HTTP Authorization header are the following:
the GET /context CQ API method page says to return 401 Unauthorized when "The access token has expired or is invalid."
the GET /itemWindows CQ API method page says "the player can use this API to obtain a new access token in the response from your cloud queue server" and "The request contains the access token in the authorization header" and "If the access token is set to expire soon, an updated one is included in the X-Updated-Authorization header of the response"
the POST /timePlayed CQ API method page says "The request header contains the access token in the authorization header" and that the method returns ERROR_SONOS_TOKEN_EXPIRED when "SMAPI OAuth token is expired, and user must re-authorize the account"
the GET /version CQ API method page says again that "The request contains the access token in the authorization header" and talks about a now deprecated updateToken parameter and also says that "If the access token is set to expire soon, you should include an updated token in the X-Updated-Authorization header."
But the most clear mention is in the page about HTTP requests, because it's not particular just for the CQ API endpoints but for all HTTP endpoints, even those hosted by the SMAPI server itself. The page reads the following 2 excerpts:
and
To conclude, with so many mentions of it in the official Sonos docs, why isn't this essential header being transmitted in the HTTP Authorization header? And how should a CQ verify the identity of the requester without the presence of this authToken on each API method request?
The auth token is sensitive information and will not be included in the HTTP headers if it's being sent to an endpoint that is insecure.
Try again with your CQ server behind an https:// address.
- SMAPI positionInformation being ignored
- Calls to Sonos API don't include credential information after being authenticated
- how to update sonos speakers using Soco library
- Subscribing to events with Sonos API
- Sonos SMAPI: how to internationalize containers?
- Sonos devices return the same information with 3 seperate UUID's over SSDP
- Can't see sonos devices on Spotify connect
- A Sonos Music API (SMAPI) implementation, during the test service getting unable to play music connection to service was lost
- What is the point of refresh tokens in the Sonos API
- How do I retrieve the catalog of a music service?
- Sonos Control API: Unable to route the message to a Target Endpoint
- Why isn't SONOS' Custom SD system working anymore?
- SONOS auth token is not being sent in Authorization HTTP header for CQ API calls
- Sonos Simulator not able to compile node package
- Control API: Service unavailable (503)
- Where can I find the SONOS Cloud Queue server sample the docs are talking about?
- Sonos API sends too short auth code in return?
- sonos integration with announcement system
- How can a Sonos customer view the Households associated with their account?
- Does the Sonos Port support UPnP?
- Sonos Control Api: Get sonos account information
- Authorization code has different structure than example code
- ERR_ABORTED 403 (Forbidden)
- How can I get the title from the strings file when implementing favorites?
- Issue requesting token from Sonos api in oauth process
- Sonos Cloud API: audioClip synchronised playing in group
- Is it possible to create a playback session with multiple groups?
- Sonos: Lifetime of event subscriptions
- Sonos SMAPI : AuthTokenExpired faults ignored in getLastUpdate and getMediaUri response
- Sonos Control API Rate limit