Forum Discussion

Explorer | Level 4

4 years ago

Oauth2 code short lived- how to implement correctly from B2B?

I am rewriting the old authorization code of my Windows service that communicates with Dropbox on behalf of a single, fixed user account. I have hit a snag. Usually I use the client credentials grant...

API

Greg-DB
4 years ago
The updated Dropbox app authorization flow does now use short-lived access tokens and refresh tokens. In either implementation, the initial authorization does require some manual user interaction.

With the new functionality, if you need long-term access (that is, longer than four hours) without further manual interaction after the initial authorization, you should request "offline" access. That way, during the initial authorization your app will receive both a short-lived access token as well as a refresh token.

Then, when the current short-lived access token has expired, the app should use the refresh token to request a new short-lived access token, by calling /oauth2/token with 'grant_type=refresh_token'. This step can be done entirely programmatically, without additional manual user interaction.

You can find more information in the following resources:

https://www.dropbox.com/developers/documentation/http/documentation#authorization

https://www.dropbox.com/lp/developers/reference/oauth-guide

https://dropbox.tech/developers/migrating-app-permissions-and-access-tokens

Greg-DB

Dropbox Staff

The updated Dropbox app authorization flow does now use short-lived access tokens and refresh tokens. In either implementation, the initial authorization does require some manual user interaction.

With the new functionality, if you need long-term access (that is, longer than four hours) without further manual interaction after the initial authorization, you should request "offline" access. That way, during the initial authorization your app will receive both a short-lived access token as well as a refresh token.

Then, when the current short-lived access token has expired, the app should use the refresh token to request a new short-lived access token, by calling /oauth2/token with 'grant_type=refresh_token'. This step can be done entirely programmatically, without additional manual user interaction.

You can find more information in the following resources:

pwnell

Explorer | Level 4

4 years ago

That is what I did. However usually the refresh token is also short lived. You are saying I should persist the refresh token and use it even if my service restarts, to fetch a new auth token?

Greg-DB
Dropbox Staff
4 years ago
Yes, you should store and re-use the refresh token repeatedly. (Dropbox refresh tokens are not short-lived; they do not expire by themselves, though they can be revoked on demand by the user or app.)
- pwnell
  Explorer | Level 4
  4 years ago
  Seems like I spoke too soon. It worked for a week or two but now the refresh token expired and I had to do the manual get token, then get refresh token, add to my code, restart the service routing which is just not cool.
  
  I got HTTP Status code Unauthorized back after the refresh token worked fine for a while.
  - Greg-DB
    Dropbox Staff
    4 years ago
    Dropbox OAuth 2 refresh tokens don't expire by themselves, but there are a number of ways they can become invalid. For example:
    
    the user or team admin can revoke all access/refresh tokens for an app by unlinking it on any of the following Dropbox web pages:
    
    the Connected apps page
    
    the Security checkup page
    
    the Team apps page on the Settings section of Business Admin console
    
    the team member’s page on the Members section of the Business Admin console
    
    any client with the access token can revoke the access token and corresponding refresh token by calling /2/auth/token/revoke
    
    the GitHub-Dropbox token scanning partnership can revoke access/refresh tokens found publicly posted on GitHub
    
    if the app uses the "app folder" permission, the access/refresh token can effectively be disabled by deleting the app folder itself in the Dropbox account, via the Dropbox website or any client
    
    the app can be disabled
    
    the account that owns the app can be disabled
    
    the connected account can be disabled
    
    If something isn't working as expected though, please feel free to share the details (e.g., the steps and code to reproduce the issue, and the unexpected error/output) so we can look into it.

About Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

5,877 PostsLatest Activity: 12 months ago

If you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X or Facebook.

For more info on available support options for your Dropbox plan, see this article.

If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!

Forum Discussion

Oauth2 code short lived- how to implement correctly from B2B?

About Dropbox API Support & Feedback

Related Content

OAuth2 empty scope does not behave correctly

Powershell Oauth2 Refresh Token

Excel worksheet not displaying correctly.

Dropbox doesn't work correctly after upgrading computer to Windows 11

Dropbox OAuth2 Endpoint not giving refresh Token

Recent Discussions

get_shared_link_metadata API problem with the new '/scl' folder links.

Trying to download a file, but no file is being downloaded.

Dropbox internal error occured - Resolution

How to add the entire team to team folder by api

API Upload .HEIC and convert to JPG