Tutorial: Authenticate App User with Pandora
1. Authentication & Authorization
The majority of this is handled by the OAuth service of Pandora. The aim is to authenticate the listener using their Pandora listener account, authorize the application to fetch resources on behalf of the listener, and get an authorization code that you will use to get an access token to eventually query/mutate Pandora resources.
Redirect the listener to Pandora OAuth service (Authentication)
Redirect the listener to https://www.pandora.com/oauth/v1/authorize with the following URL parameters:
| Parameter | Description | Type | Example | Required |
response_type |
Denotes the kind of credential that Auth0 will return (code vs token). For this flow, the value must be code. | string | "code" | Yes |
client_id |
The identifier of the client. See here for how to find your Client ID. | string | "K0OOpAbKaR97E1NoeX8dC9LA9wAwq23E" | Yes |
redirect_uri |
The callback URL registered for your app. When the authorization process was successful, the OAuth server will redirect back to this URL. | string | "http://www.mysite.com/callback" | Yes |
An example of what the request URL should look like: https://www.pandora.com/oauth/v1/authorize?
response_type=code&client_id=KTwNUabLype7E1NoeX8dCydGu7vaSVWd&redirect_uri=http%3A%
2F%2Flocalhost%3A3000%2Foauth%2Fcallback
1. The OAuth server will redirect the listener to https://www.pandora.com/oauth/v1/login.
2. The listener will then either create an account or sign in with their existing account. Clicking on “I have a Pandora account” will take you to this page.
3. When you log in, the OAuth service will take you to the next screen to submit consent for scope.
Listener submits consent for scope (Authorization)
On this screen the listener submits consent for the application to access Pandora resources on behalf of the user.
- "Deny access" will take the listener back to the original URL where the authorize redirect originated from.
- "Approve access" will submit consent and the OAuth service will redirect to the callback URL specified in the authorize call. It will also add the following parameters to the callback URL for the application to use:
| Parameter | Description | Type | Example |
code |
The authorization code is a short lived value that can be exchanged for an access token. | string | "APQBvb9xwom1IkRTg7pGiAE" |
alias |
Request authorization UUID, this value will change with each authorization. | string | "AOeZZOQBQiFmQSbaUXGsgYg" |
An example of the callback URL and its parameters:
http://localhost:3000/oauth/callback?code=ALYO2-nYAdnDkJv9xSUNXFA&alias=AKyPnVXLecFAIyr5ItIwQZ8
Get authorization code from response
The next step is to get the authorization code that you will need to be able to get an access token. The authorization code was sent as a parameter on the callback URL.
http://localhost:3000/oauth/callback?code=ALYO2-nYAdnDkJv9xSUNXFA&alias=AKyPnVXLecFAIyr5ItIwQZ8