Need to see if your shared folder is taking up space on your dropbox 👨💻? Find out how to check here.
Forum Discussion
Solved
Can't get PKCE access token uses javascript fetch request
I am trying to utilize the PKCE in a background script of chrome extension example shows the following: curl https://api.dropbox.com/oauth2/token \
-d code=<AUTHORIZATION_CODE> \
-d grant_typ...
yes!
that was the problem
my apologies I missed these arguments in the request URLhowever,
i am now getting the error{error: 'invalid_grant', error_description: 'invalid code verifier'}The URL includes both code_challenge and code_challenge_method
and looks like:https://www.dropbox.com/oauth2/authorize?response_type=code&client_id=<client_id>&code_challenge=<code_challenge>&code_challenge_method=S256
and the parameters sent to oauth2/token are:client_id=<client_id>&grant_type=authorization_code&code=<auth code from dropbox>&code_verifier=<128 char verifier>i also made sure that <code challenge> is a SHA256 hash of <128 char verifier> by testing it at https://emn178.github.io/online-tools/sha256.html
what am i missing?
since its SSL i am unable to use wireshrk/tcpdump
In the Chrome's dev tools, under the payload tab i can see the following (raw data):
client_id=<15 chars clienid>&grant_type=authorization_code&code=<43 chars code>&code_verifier=<128 chars code_verifier>
all codes include only lower&Upper case letters and numbers
i also tested this string at https://reqbin.com/req/v0crmky0/rest-api-post-example and got the same result
Greg-DB
Dropbox Community Moderator
Dropbox Community ModeratorCould you show both the headers and body for both the request and response? The Chrome developer tools should enable you to see both.
the headers:
because it is a chrome extension the body is not in it
there is a tab called payload instead:i tried to use the above string in https://reqbin.com/req/v0crmky0/rest-api-post-example and got the same error
looks like the issue is not with the chrome extension, probably something to do with the data in the body
Thanks
Avner- Greg-DB
Thanks. In particular I was most looking for the "Content-Type" header which will affect how the body is read, but that seems to be set correctly in your screenshot. Were you also setting that to "application/x-www-form-urlencoded;charset=UTF-8" when using https://reqbin.com/req/v0crmky0/rest-api-post-example ? That could cause the error if not.
Also, I'm not sure why your request contains cookies; that's not expected for API calls like this. That doesn't occur for me, so I can't say if that's the cause. Perhaps it's because that one's happening in a Chrome extension (as opposed to the potential Content-Type issue in reqbin)?
In any case, perhaps you can share the actual unredacted payload? (The authorization code expires after five minutes, so it's safe to share once that elapses.) You can open an API ticket with that if you'd prefer to share privately. That may enable us to reproduce what you're seeing. Alternatively, do you have a sample page with this code running we can try?
when using the https://reqbin.com/req/v0crmky0/rest-api-post-example i tried all types of content-type available with no luck
I don't believe the cookie should matter, usually API servers do not relate to any irrelevant information unless it is actually needed,
however,
would be good if you could check that with the programmers
as you said, this is chrome extension and I am unable to change this default behavior
the params I sent were:
client_id=<client_id>&grant_type=authorization_code&code=waO3hkmKk8EAAAAAAAAL04IbHdMrBYxBGw7yghMI_0o&code_verifier=HfW9Gz3ZtF3mgdZCq3wuIIzbPDmwaGbkrOgMLgYYv6GeYXvLAMusvBjrJ91Zv8bFKhTOHlHj3EyAqMz5tivKXSLQS1r5NpSeNLP61zz5JRh6MXAB0mAL7lTrzBuSlptc
let me know if you need anymore information
About Dropbox API Support & Feedback
Find help with the Dropbox API from other developers.
