Best way to authorize more users on my app

Question

Hi all,my scenario is as follows:1) mobile app2) app server for redirect uriI need to allow users to access their dropbox space from my application. So each user will have to authorize his copy of the app with dropbox by inserting user and pass.My problem is that the response that the dropbox server sends to my server has no information about the user. I do not know if it is user A or user B to authorize. How can I solve this problem?thanks in advantage&nbsp;

Greg-DB · Answer

Can you elaborate on what you mean when you "the response that the dropbox server sends to my server has no information about the user"?
You can find information on how the result is returned to the redirect URI in the OAuth 2 /authorize documentation here:
https://www.dropbox.com/developers/documentation/http/documentation#oauth2-authorize
Note that there are two "flows": the "code" flow and the "token" flow. It sounds like you may be using the "token" flow, where the result is returned on the URL "hash" or "fragment". Browsers intentionally don't send this information to the server; it is only available client-side. For server-side redirect URIs, you should use the "code" flow instead. For the "code" flow, the result is returned in URL parameters, which are sent to the server.

donatz · Answer

Hi Greg,thanks for the reply,Yes, I am using flow code. As documented, the dropbox server replies by sending me the code (ex: Nhiajajoiqpqi912alalala). In my project the request_uri is the application that runs on the server and not the mobile app (it must always be available for callback). But I can not connect this code to one of my users, because I do not know which of my users has made the dropbox authorization request from the mobile app, and that code is related only to a user who made the request. I do not know if my problem is clear.

Greg-DB · Answer

When using the "code" flow,&nbsp;Dropbox will return an "authorization code" to your redirect URI. This authorization code is specific to the&nbsp;Dropbox user that authorized the app. You should then exchange this authorization code for an access token using /oauth2/token. In addition to the access token, that endpoint will return the account_id of the&nbsp;Dropbox user that authorized it. (Additionally, you can check the account information for an access token by using it to call&nbsp;/2/users/get_current_account.)
While that identifies which&nbsp;Dropbox account was used, it doesn't identify the account in your third party app itself. Typically, you would get this from your app's own session. (I.e., whoever is signed in to your web site or app.)
If, for whatever reason though, that doesn't work in your use case, you can pass along other identifying data in the "state" parameter to&nbsp;/oauth2/authorize, which will be passed back by the&nbsp;/oauth2/authorize result to your redirect URI.

donatz · Answer

Yes Greg,&nbsp;I use this solution.Greg-DB&nbsp; ha scritto:When using the "code" flow,&nbsp;Dropbox will return an "authorization code" to your redirect URI. This authorization code is specific to the&nbsp;Dropbox user that authorized the app. You should then exchange this authorization code for an access token using /oauth2/token. In addition to the access token, that endpoint will return the account_id of the&nbsp;Dropbox user that authorized it. (Additionally, you can check the account information for an access token by using it to call&nbsp;/2/users/get_current_account.)While that identifies which&nbsp;Dropbox account was used, it doesn't identify the account in your third party app itself. Typically, you would get this from your app's own session. (I.e., whoever is signed in to your web site or app.)in this case I do not have the security that the user who requested the authorization has used the same data (mail, name etc.) in the registration to my service, so the comparison between accessID and myUserID can be done but it does not work at 100%. Do you Agree with me?Greg-DB&nbsp; ha scritto:&nbsp;If, for whatever reason though, that doesn't work in your use case, you can pass along other identifying data in the "state" parameter to&nbsp;/oauth2/authorize, which will be passed back by the&nbsp;/oauth2/authorize result to your redirect URI.&nbsp;I tried to pass a userid on "state" but as described here:state&nbsp;String?&nbsp;Up to 500 bytes of arbitrary data that will be passed back to your redirect URI. This parameter should be used to protect against cross-site request forgery (CSRF). See Sections&nbsp;4.4.1.8&nbsp;and&nbsp;4.4.2.5&nbsp;of the OAuth 2.0 threat model spec.this field is used for protect against cross-site, infact in the callback from dropbox to my server the field state is filled correctly but I don't have the code because it is hidden.&nbsp;does it happen to you too?&nbsp;thank a lot&nbsp;&nbsp;

Greg-DB · Answer

I'm not sure I follow. What do you mean by "accessID"?
Also, can you clarify what you mean when you say " field state is filled correctly but I don't have the code because it is hidden"?
Please note that I'm happy to help with any questions or issues you have with the&nbsp;Dropbox API itself, but I can't offer general security guidance. If you have any app security questions, please consult with a security professional.&nbsp;

Forum Discussion

Best way to authorize more users on my app

8 Replies

About Dropbox API Support & Feedback

Related Content

Allow authorized users to access Dropbox folders

How to programmatically get the Authorization code without requiring the user approval in OAuth 2.0

Dropbox APP Authorization Token Expires

How to turn off multi-authorization?

How can I disable the Microsoft Co-Authoring feature from Office 365?

Recent Discussions

SSL Certificate error or SSH md5 fingerprint not Ok error.

Can't retrieve file count or file listing

Dropbox API and access tokens for enterprise level

Upgraded Team Account - breaking shared links using JS SDK

How to Allow Other Users to Test My Dropbox Extension?