You might see that the Dropbox Community team have been busy working on some major updates to the Community itself! So, here is some info on what’s changed, what’s staying the same and what you can expect from the Dropbox Community overall.
Forum Discussion
Using refresh token without client secret
I am using the PKCE flow for my electron based desktop & web app app and am trying to migrate for the new short lived tokens everywhere flow. I am able to get a refresh token by providing
token_access_type=offline
Now I am wondering how I can request a new accessToken without exposing my APP_SECRET (https://www.dropbox.com/developers/documentation/http/documentation#oauth2-token).
Is there a way to do so?
Yes, the PKCE flow in particular is a version of the OAuth 2 authorization flow that doesn't require the app secret, meant for client-side apps where an app secret can't be kept secret. It does so by using a 'code_challenge' on the /oauth2/authorize step and corresponding 'code_verifier' on the following /oauth2/token step, instead of the app secret. Likewise, it does not require the app secret when performing a refresh call. You can find more information in the OAuth Guide and authorization documentation.
Specifically, the /oauth2/token request using a refresh token that was retrieved via the PKCE flow to get a new short-lived access token without using the app secret would look like this:
curl https://api.dropbox.com/oauth2/token \ -d refresh_token=<REFRESH_TOKEN> \ -d grant_type=refresh_token \ -d client_id=<APP_KEY>
- Greg-DB
Dropbox Staff
Yes, the PKCE flow in particular is a version of the OAuth 2 authorization flow that doesn't require the app secret, meant for client-side apps where an app secret can't be kept secret. It does so by using a 'code_challenge' on the /oauth2/authorize step and corresponding 'code_verifier' on the following /oauth2/token step, instead of the app secret. Likewise, it does not require the app secret when performing a refresh call. You can find more information in the OAuth Guide and authorization documentation.
Specifically, the /oauth2/token request using a refresh token that was retrieved via the PKCE flow to get a new short-lived access token without using the app secret would look like this:
curl https://api.dropbox.com/oauth2/token \ -d refresh_token=<REFRESH_TOKEN> \ -d grant_type=refresh_token \ -d client_id=<APP_KEY>Thanks for the quick response. Unfortunately this leads to an `invalid_request` error (400):
```The request parameters do not match any of the supported authorization flows. Please refer to the API documentation for the correct parameters.
```
Never mind! I had the wrong Content-Type header set. Seems to work fine now. Thank you very much!
Maybe this should be added to the documentation under the examples section?
About Dropbox API Support & Feedback
Find help with the Dropbox API from other developers.
