Need to see if your shared folder is taking up space on your dropbox 👨💻? Find out how to check here.
Forum Discussion
Solved
Can't get PKCE access token uses javascript fetch request
I am trying to utilize the PKCE in a background script of chrome extension example shows the following: curl https://api.dropbox.com/oauth2/token \
-d code=<AUTHORIZATION_CODE> \
-d grant_typ...
yes!
that was the problem
my apologies I missed these arguments in the request URLhowever,
i am now getting the error{error: 'invalid_grant', error_description: 'invalid code verifier'}The URL includes both code_challenge and code_challenge_method
and looks like:https://www.dropbox.com/oauth2/authorize?response_type=code&client_id=<client_id>&code_challenge=<code_challenge>&code_challenge_method=S256
and the parameters sent to oauth2/token are:client_id=<client_id>&grant_type=authorization_code&code=<auth code from dropbox>&code_verifier=<128 char verifier>i also made sure that <code challenge> is a SHA256 hash of <128 char verifier> by testing it at https://emn178.github.io/online-tools/sha256.html
what am i missing?
when using the https://reqbin.com/req/v0crmky0/rest-api-post-example i tried all types of content-type available with no luck
I don't believe the cookie should matter, usually API servers do not relate to any irrelevant information unless it is actually needed,
however,
would be good if you could check that with the programmers
as you said, this is chrome extension and I am unable to change this default behavior
the params I sent were:
client_id=<client_id>&grant_type=authorization_code&code=waO3hkmKk8EAAAAAAAAL04IbHdMrBYxBGw7yghMI_0o&code_verifier=HfW9Gz3ZtF3mgdZCq3wuIIzbPDmwaGbkrOgMLgYYv6GeYXvLAMusvBjrJ91Zv8bFKhTOHlHj3EyAqMz5tivKXSLQS1r5NpSeNLP61zz5JRh6MXAB0mAL7lTrzBuSlptc
let me know if you need anymore information
Greg-DB
Dropbox Community Moderator
Dropbox Community ModeratorUsing that payload (though plugging in my own test client ID since you redacted yours), I still didn't get that error on https://reqbin.com/req/v0crmky0/rest-api-post-example . I instead got "code doesn't exist or has expired" as expected, since authorization codes are single-use and expire after a few minutes. Here's a screenshot showing the raw request and response there:
Just to double check, are you getting "code doesn't exist or has expired" or "No auth function available for given request" if you do the same there?
yes,
i experience the same behavior
if using an expired code i get the same error "code doesn't exist or has expired":HTTP/1.1 400 Bad Request Content-Security-Policy: sandbox allow-forms allow-scripts Content-Type: application/json Accept-Encoding: identity,gzip Date: Wed, 12 Jan 2022 02:27:14 GMT Server: envoy Content-Length: 84 X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 7ff4794a94a846b0bfcbc750fbe48fd5 {"error": "invalid_grant", "error_description": "code doesn't exist or has expired"}
however
if using a working code i get:HTTP/1.1 400 Bad Request Content-Security-Policy: sandbox allow-forms allow-scripts Content-Type: application/json Accept-Encoding: identity,gzip Date: Wed, 12 Jan 2022 02:25:18 GMT Server: envoy Content-Length: 97 X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 320762d3550c4d8a8e9e46a5ddc6b091 {"error": "invalid_request", "error_description": "No auth function available for given request"}is there a way we can debug this online together?
maybe in an online meeting?- Greg-DB
Thanks! That's helpful. I believe I see what's causing this now. Can you check what /oauth2/authorize URL you're using? Since you're trying to use the PKCE flow, you need to include the code_challenge and code_challenge_method parameters. If you don't include those though, this effectively becomes the non-PKCE flow, in which case when you don't supply the client_secret value when calling /oauth2/token, you'll get this "No auth function available for given request" error (since the non-PKCE flow requires the client secret).
So, in order to use the PKCE flow, make sure you're including the code_challenge and code_challenge_method parameters on your /oauth2/authorize URL when retrieving the authorization code.
yes!
that was the problem
my apologies I missed these arguments in the request URLhowever,
i am now getting the error{error: 'invalid_grant', error_description: 'invalid code verifier'}The URL includes both code_challenge and code_challenge_method
and looks like:https://www.dropbox.com/oauth2/authorize?response_type=code&client_id=<client_id>&code_challenge=<code_challenge>&code_challenge_method=S256
and the parameters sent to oauth2/token are:client_id=<client_id>&grant_type=authorization_code&code=<auth code from dropbox>&code_verifier=<128 char verifier>i also made sure that <code challenge> is a SHA256 hash of <128 char verifier> by testing it at https://emn178.github.io/online-tools/sha256.html
what am i missing?- Greg-DB
The S256 method can be difficult to implement exactly correctly in code, and that tool you linked to is made by a third party so I can't say if it's producing exactly the format required for the OAuth 2 flow. You can refer to the code in the official Dropbox API v2 JavaScript SDK where this is done though. Alternatively, you could use the "plain" method (where the code challenge is just the code verifier) instead.
By the way, I don't know exactly what was contained in the cookies in the screenshot you posted, and I redacted them from the image anyway, but just to be safe, you may want to delete any old web browser sessions, as well as sign out of your current one, to invalidate any such cookies.
plain works well
thanks
the example given at https://dropbox.tech/developers/pkce--what-and-why- refers to node.js and is not valid in browsers
can you please show an example that will be valid in such environment as browsers?
thankswill check it
thanks for your help, it is much appriciated!
About Dropbox API Support & Feedback
Find help with the Dropbox API from other developers.
