Distinction between Oauth 2 and PHP Core API (PHP SDK)

Hi,

 

Now while obtaining an access token, I'm making the curl call to the token endpoint. I cannot make use of the CLI curl command as stated in the example here: https://blogs.dropbox.com/developers/2013/07/using-oauth-2-0-with-the-core-api/

 

So I'm making a curl call as:

 

 

$auth_code = $_GET['code'];
$acc_url = 'https://api.dropboxapi.com/1/oauth2/token';
$post = array('code' => $auth_code,
'grant_type' => 'authorization_code',
'client_id' => '6i45k3fi9a1i9an',
'client_secret' => '<redacted>');

// Set the curl parameters.
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
// Turn off the server and peer verification (TrustManager Concept).
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
// Get response from the server.
$resp = curl_exec($ch);
echo '<br />Curl Error: '.curl_error($ch);
echo '<br />Curl Response: ';
r_print($resp);

 

I'm getting the response as:

Error(405): 

Something went wrong. Don't worry, your files are still safe and the Dropboxers have been notified. Check out our Help Center and forums for help, or head back to home.

 

How can I get a detailed error explaining the issue? What wrong am I doing? 

You should only encode your redirect URI ( http://localhost/soft/softaculous/enduser/index.live.php ) since it's being provided as a URL parameter, and not the /authorize URL itself where you send the user to authorize your app.

 

A 405 error should indicate that you're using the wrong HTTP method. The /oauth2/token endpoint requires the POST method. It looks like you're using that (since you're setting CURLOPT_POST), but I notice that you're actually calling $url, when you set /oauth2/token to the $acc_url variable instead. Please make sure you're calling the right endpoint.

 

Also, we highly recommend against disabling SSL/TLS verification.

Hi,

 

Ahh that was a silly mistake I made. I corrected it and now getting this:

{"error_description": "redirect_uri mismatch", "error": "invalid_grant"}

Can you tell me why?

 

Also regarding SSL/TLS, we'll have users having or not having SSL/TLS verification on their servers. We would require the support for all kind of servers. May I know the issue? 

Hi,

 

Is it possible to get a faster response please?

Hi,

 

I'm able to resolve the previous error.

 

I have a doubt though. While implementing Dropbox, our user can make auth & token generation calls from various pages. Sometimes those pages may have and sometimes may not have the parameters. We cannot fix them. But according to this v2 of Dropbox APIs, the redirect URL has to be specified in the Dropbox App.

 

How can we handle this?

As a matter of security OAuth 2 redirect URIs are required to use https:// not http://. 

 

Likewise, also as a security feature, OAuth2 redirect URIs must be pre-registered exactly. 

 

One thing you may be able to do instead is to use one static redirect URI but encode the necessary information in the 'state' parameter, and decode it as necessary after the redirect back to your app, to handle it as necessary:

https://www.dropbox.com/developers/documentation/http/documentation#authorization

 

Alternatively, you could forgo using a redirect URI entirely. With the "code" flow, you can omit redirect_uri and have the user copy and paste the code manually.

Hi,

Thank you for your reply.

>>One thing you may be able to do instead is to use one static redirect URI but encode the necessary information in the 'state' parameter, and decode it as necessary after the redirect back to your app
We cannot have one static URI as it varies panel to panel. On cPanel it is different, on DA it will be different, etc. On cPanel it will be different from session to session as well.

Since we want to make it automated, we don't prefer to ask users to copy paste the code.

Do you have some better solution to this? Can't we add some variables or something in the Redirect URIs of MyApps page?

No, unfortunately I don't have another solution to offer. Dropbox OAuth 2 redirect URIs don't support variables.

To clarify though, the static redirect URI technique may still work for you. In your case, it sounds like you could encode the relevant panel URL in the 'state' parameter, and perform the necessary redirect from your own server.