We are aware of the issue with the badge emails resending to everyone, we apologise for the inconvenience - learn more here.
Forum Discussion
What way of authorization to use for a (PHP) open source module
I am the developer of the Drupal module Backup & migrate Dropbox that extends the "Backup and migrate" module to store backups on Dropbox. So this module:
- is open source, so I cannot put the App secret in my code.
- installed on web servers of which I cannot know the domain names, so I cannot define redirect uri's for all those domains.
- runs via some admin screens but mainly via cron jobs (unattended), so I need a way to work with long lived tokens/codes.
- I am not part of an organization that can or wants to provide an intermediate site for the redirect uri (and storage of long lived codes/tokens? Keeper of App secret?) .
- The current version requires users to each create their own App and generate a long lived token on their App console.
I am developing a new version that should use the newer oauth2 way of obtaining authorization. Given the above, it seems that the PKCE flow is the way to go, but is this possible? I arrive at getting a user copied and pasted (short lived) acces code, use that to get a 1st (short lived) bearer token and (presumably long lived) refresh token, but after the access code and bearer token have expired and I use the refresh token to get a new bearer token I get the error:
Request sent:
https://api.dropbox.com/oauth2/token
body = refresh_token=8p************************************************************eI
&grant_type=refresh_token
&code_verifier=wE***************************************pU
&client_id=2b***********6x
Response received (invalid json as all \ were removed to improve readability):
body: {"error_description": "unknown field "code_verifier"", "error": "invalid_request"}"
response code: 400Is what I want possible? If so, how? Or what is the way to go?
Thanks for any help on this.
While the PKCE flow is generally meant for client-side apps (and server-side apps would generally use the code flow) given the constraints in this case, using the PKCE flow seems reasonable and should work.
The issue you're running in to here is that you're calling /oauth2/token to perform 'grant_type=refresh_token' but are supplying the 'code_verifier' parameter. The 'code_verifier' parameter should only be provided for the initial 'grant_type=authorization_code'.
That is, the flow should look like this:
- The user is directed to /oauth2/authorize
- The user approves the app
- The user copies the authorization code from the Dropbox web site into the app
- The app calls /oauth2/token supplying 'code' set to the authorization code, 'grant_type=authorization_code', 'code_verifier' set to the code verifier, and 'client_id' set to the app key, just once per authorization flow.
- The app uses the short-lived access token to make API calls.
- The app calls /oauth2/token supplying 'refresh_token' set to the refresh token, 'grant_type=refresh_token', and 'client_id' set to the app key, but not 'code_verifier', repeatedly whenever a new short-lived access token is needed.
Also, to confirm, yes, refresh tokens are long-lived. They don't expire by themselves, but can be revoked on demand.
Hope this helps!
- Greg-DB
Dropbox Staff
While the PKCE flow is generally meant for client-side apps (and server-side apps would generally use the code flow) given the constraints in this case, using the PKCE flow seems reasonable and should work.
The issue you're running in to here is that you're calling /oauth2/token to perform 'grant_type=refresh_token' but are supplying the 'code_verifier' parameter. The 'code_verifier' parameter should only be provided for the initial 'grant_type=authorization_code'.
That is, the flow should look like this:
- The user is directed to /oauth2/authorize
- The user approves the app
- The user copies the authorization code from the Dropbox web site into the app
- The app calls /oauth2/token supplying 'code' set to the authorization code, 'grant_type=authorization_code', 'code_verifier' set to the code verifier, and 'client_id' set to the app key, just once per authorization flow.
- The app uses the short-lived access token to make API calls.
- The app calls /oauth2/token supplying 'refresh_token' set to the refresh token, 'grant_type=refresh_token', and 'client_id' set to the app key, but not 'code_verifier', repeatedly whenever a new short-lived access token is needed.
Also, to confirm, yes, refresh tokens are long-lived. They don't expire by themselves, but can be revoked on demand.
Hope this helps!
Yes, that works, thanks a lot. I thus indeed was close all that time. Could it be an idea to add a step 6 to the PKCE guide (https://dropbox.tech/developers/pkce--what-and-why-) or add a 4th example to https://www.dropbox.com/developers/documentation/http/documentation#oauth2-token ?
I'm not having any joy at all getting authorisation to work. As far as I can tell, I'm following the docs to the letter (though some of them are extremely difficult to read or interpret) and this coincides perfectly with the steps outlined earlier in this thread.
I'm trying to use the PKCE flow for a Wordpress plugin built in PHP. The docs say this is the best method to use where the code will be viewable by the public so you don't want to have your app secret used.
I construct a url to take the user to oauth2/authorize to authorise the app. The url has the following added in correct url encoded format:
response_type=code
client_id=<MYAPPID>
code_challenge=<CHALLENGE>
code_challenge_method=S256
(with the appropriate values in place of the placeholders above).
The user then returns to my app and types in the <CODE> they're given, and I then save it.
I then immediately use that <CODE> to try to get a token using oauth2/token. I'm using CURL for this. The headers I set are:
Accept: application/json Content-Type: application/x-www-form-urlencoded
Then for the data (sent in urlencoded format) I have
code=<CODE>
grant_type=authorization_code
code_verifier=<CHALLENGE>
client_id=<MYAPPID>What I get back from Dropbox, though, is an error:
{"error_description": "invalid code verifier", "error": "invalid_grant"}I keep trying different combinations of things, including with the headers, for about five minutes until the <CODE> expires and the error message changes to that. Then I have to re-authorise the app and circle around again. The encrypted code verifier I'm sending in the token request is exactly the same encrypted code verifier I sent with the authorisation url. So why the error?
This is doing my head in. Can anyone please help?
About Discuss Dropbox Developer & API
Make connections with other developers
