diff --git a/backends/auth.go b/backends/auth.go
index f78feb3..2309826 100644
--- a/backends/auth.go
+++ b/backends/auth.go
@@ -46,7 +46,7 @@ func Authenticate(service string, backend models.Backend, db storage.Database, c
 		if err != nil {
 			return auth, err
 		}
-		conf := authenticator.OAuth2Config(redirectURL)
+		conf := authenticator.OAuth2Strategy(redirectURL).Config()
 		tokenSource := NewDatabaseTokenSource(db, service, &conf, token)
 		authenticator.OAuth2Setup(tokenSource)
 	}
diff --git a/backends/spotify/spotify.go b/backends/spotify/spotify.go
index 6c9bf89..ee59b5a 100644
--- a/backends/spotify/spotify.go
+++ b/backends/spotify/spotify.go
@@ -25,6 +25,7 @@ import (
 	"time"
 
 	"github.com/spf13/viper"
+	"go.uploadedlobster.com/scotty/internal/auth"
 	"go.uploadedlobster.com/scotty/models"
 	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/spotify"
@@ -44,6 +45,23 @@ func (b *SpotifyApiBackend) FromConfig(config *viper.Viper) models.Backend {
 	return b
 }
 
+func (b *SpotifyApiBackend) OAuth2Strategy(redirectUrl *url.URL) auth.OAuth2Strategy {
+	conf := oauth2.Config{
+		ClientID:     b.clientId,
+		ClientSecret: b.clientSecret,
+		Scopes: []string{
+			"user-read-currently-playing",
+			"user-read-recently-played",
+			"user-library-read",
+			"user-library-modify",
+		},
+		RedirectURL: redirectUrl.String(),
+		Endpoint:    spotify.Endpoint,
+	}
+
+	return auth.NewStandardStrategy(conf)
+}
+
 func (b *SpotifyApiBackend) OAuth2Config(redirectUrl *url.URL) oauth2.Config {
 	return oauth2.Config{
 		ClientID:     b.clientId,
diff --git a/cmd/auth.go b/cmd/auth.go
index 0bff457..7ab9e19 100644
--- a/cmd/auth.go
+++ b/cmd/auth.go
@@ -17,14 +17,14 @@ Scotty. If not, see <https://www.gnu.org/licenses/>.
 package cmd
 
 import (
-	"context"
 	"fmt"
-	"net/http"
+	"os"
 
 	"github.com/cli/browser"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 	"go.uploadedlobster.com/scotty/backends"
+	"go.uploadedlobster.com/scotty/internal/auth"
 	"go.uploadedlobster.com/scotty/models"
 	"go.uploadedlobster.com/scotty/storage"
 	"golang.org/x/oauth2"
@@ -43,44 +43,36 @@ var authCmd = &cobra.Command{
 		redirectURL, err := backends.BuildRedirectURL(viper.GetViper(), backend.Name())
 		cobra.CheckErr(err)
 
-		ctx := context.Background()
-		conf := backend.OAuth2Config(redirectURL)
-
-		responseChan := make(chan string)
-
 		// Start an HTTP server to listen for the response
-		http.HandleFunc(redirectURL.Path, func(w http.ResponseWriter, r *http.Request) {
-			code := r.URL.Query().Get("code")
-			fmt.Fprint(w, "Token received, you can close this window now.")
-			responseChan <- code
-		})
+		responseChan := make(chan auth.CodeResponse)
+		auth.RunOauth2CallbackServer(*redirectURL, responseChan)
 
-		go http.ListenAndServe(redirectURL.Host, nil)
+		// The backend must provide an authentication strategy
+		strategy := backend.OAuth2Strategy(redirectURL)
 
 		// use PKCE to protect against CSRF attacks
 		// https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-22.html#name-countermeasures-6
 		verifier := oauth2.GenerateVerifier()
 
-		// Redirect user to consent page to ask for permission
-		// for the scopes specified above.
-		url := conf.AuthCodeURL("state", oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(verifier))
+		state := "somestate" // FIXME: Should be a random string
+		// Redirect user to consent page to ask for permission specified scopes.
+		url := strategy.AuthCodeURL(verifier, state)
 		fmt.Printf("Visit the URL for the auth dialog: %v\n", url)
-
 		err = browser.OpenURL(url)
 		cobra.CheckErr(err)
 
+		// Retrieve the code from the authentication callback
 		code := <-responseChan
+		if code.State != state {
+			cobra.CompErrorln("Error: oauth state mismatch")
+			os.Exit(1)
+		}
 
-		// Use the authorization code that is pushed to the redirect
-		// URL. Exchange will do the handshake to retrieve the
-		// initial access token. The HTTP Client returned by
-		// conf.Client will refresh the token as necessary.
-		// var code string
-		// _, err = fmt.Scan(&code)
-		// cobra.CheckErr(err)
-		tok, err := conf.Exchange(ctx, code, oauth2.VerifierOption(verifier))
+		// Exchange the code for the authentication token
+		tok, err := strategy.ExchangeToken(code, verifier)
 		cobra.CheckErr(err)
 
+		// Store the retrieved token in the database
 		db, err := storage.New(viper.GetString("database"))
 		cobra.CheckErr(err)
 
diff --git a/internal/auth/callback.go b/internal/auth/callback.go
new file mode 100644
index 0000000..4fa41f6
--- /dev/null
+++ b/internal/auth/callback.go
@@ -0,0 +1,36 @@
+/*
+Copyright © 2023 Philipp Wolfer <phw@uploadedlobster.com>
+
+Scotty is free software: you can redistribute it and/or modify it under the
+terms of the GNU General Public License as published by the Free Software
+Foundation, either version 3 of the License, or (at your option) any later version.
+
+Scotty is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
+A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with
+Scotty. If not, see <https://www.gnu.org/licenses/>.
+*/
+
+package auth
+
+import (
+	"fmt"
+	"net/http"
+	"net/url"
+)
+
+func RunOauth2CallbackServer(redirectURL url.URL, responseChan chan CodeResponse) {
+	http.HandleFunc(redirectURL.Path, func(w http.ResponseWriter, r *http.Request) {
+		code := r.URL.Query().Get("code")
+		state := r.URL.Query().Get("state")
+		fmt.Fprint(w, "Token received, you can close this window now.")
+		responseChan <- CodeResponse{
+			Code:  code,
+			State: state,
+		}
+	})
+
+	go http.ListenAndServe(redirectURL.Host, nil)
+}
diff --git a/internal/auth/strategy.go b/internal/auth/strategy.go
new file mode 100644
index 0000000..403c429
--- /dev/null
+++ b/internal/auth/strategy.go
@@ -0,0 +1,56 @@
+/*
+Copyright © 2023 Philipp Wolfer <phw@uploadedlobster.com>
+
+Scotty is free software: you can redistribute it and/or modify it under the
+terms of the GNU General Public License as published by the Free Software
+Foundation, either version 3 of the License, or (at your option) any later version.
+
+Scotty is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
+A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with
+Scotty. If not, see <https://www.gnu.org/licenses/>.
+*/
+
+package auth
+
+import (
+	"context"
+
+	"golang.org/x/oauth2"
+)
+
+type OAuth2Strategy interface {
+	Config() oauth2.Config
+
+	AuthCodeURL(verifier string, state string) string
+
+	ExchangeToken(code CodeResponse, verifier string) (*oauth2.Token, error)
+}
+
+type CodeResponse struct {
+	Code  string
+	State string
+}
+
+func NewStandardStrategy(conf oauth2.Config) OAuth2Strategy {
+	return StandardStrategy{conf: conf}
+}
+
+type StandardStrategy struct {
+	conf oauth2.Config
+}
+
+func (s StandardStrategy) Config() oauth2.Config {
+	return s.conf
+}
+
+func (s StandardStrategy) AuthCodeURL(verifier string, state string) string {
+	return s.conf.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(verifier))
+}
+
+func (s StandardStrategy) ExchangeToken(code CodeResponse, verifier string) (*oauth2.Token, error) {
+	ctx := context.Background()
+	return s.conf.Exchange(ctx, code.Code, oauth2.VerifierOption(verifier))
+}
diff --git a/models/interfaces.go b/models/interfaces.go
index 7928804..9078eba 100644
--- a/models/interfaces.go
+++ b/models/interfaces.go
@@ -21,6 +21,7 @@ import (
 	"time"
 
 	"github.com/spf13/viper"
+	"go.uploadedlobster.com/scotty/internal/auth"
 	"golang.org/x/oauth2"
 )
 
@@ -87,7 +88,7 @@ type OAuth2Authenticator interface {
 	Backend
 
 	// Returns OAuth2 config suitable for this backend
-	OAuth2Config(redirectUrl *url.URL) oauth2.Config
+	OAuth2Strategy(redirectUrl *url.URL) auth.OAuth2Strategy
 
 	// Setup the OAuth2 client
 	OAuth2Setup(token oauth2.TokenSource) error