Non expiring token kept on changing

sanchitcop19 Thanks for the note! I'll ask the team to clarify this in the UI there.

Thank you!

Unfortunately, we have the same problem with the token, which is only valid for 4 hours.
In a backup plugin for the iot system iobroker we use the API for backup in the Dropbox.

Unfortunately, the token expires after 4 hours, which unfortunately means that users do not have a backup in the Dropbox.

We have about 45,000 users of the plugin and people are having really big problems with changing the token lifetime

Here is the link to the project

https://github.com/simatec/ioBroker.backitup

simatec Thanks for the note. You'll need to update your app to use refresh tokens if it needs to maintain long-term access without manual user intervention. You can find more information on this migration here, and you can find more information about this functionality in the OAuth Guide and authorization documentation.

Unfortunately, the variant of the refresh_token cannot be implemented for our plugin.

For your understanding...us backup plugin doesn't have its own app.
Users who want to save their backups in Dropbox create an app in their account.

In order for the user to receive a refresh_token, in-depth knowledge is required, which not all users have.

With the switch to the short_live token, I would like the Dropbox API to continue to be usable. With a validity of 4 hours, this is not the case to use it for a backup system.

iobroker is an iot system that usually runs on linux machines without a GUI and without a browser.

This also means that no authorization query is possible.

Would it be possible to display the refresh_token in the APP console?

In this way, we could offer the option of updating via the refresh token in our backup tool.

But users should get the refresh_token in an easy way

The current way is not user friendly

simatec1976 Thanks for the information. I'm sending this along as a feature request for the ability to get a refresh token via the Generate button on the App Console, but I can't promise if or when that might be implemented.

For reference, we do not recommend having end-users create/register apps themselves on Dropbox and then use the Generate button like this. The developer of the app/plugin/integration should register it once, and then implement the OAuth app authorization in the app/plugin/integration so that the end-users can authorize it to access their accounts without having to configure it themselves. That would apply to both the previous long-lived access token functionality, as well as the new short-lived access token and refresh token functionality. Previously, the user would need to process the OAuth app authorization flow once to get the long-lived access token. Now, they would do the same, and the app gets a short-lived access token and refresh token the same way, instead of a long-lived access token. The process would look the same to the end-user in both cases. The app would store and re-use the long-lived access token, or the refresh token, respectively.

simatec Whether using the old long-lived access tokens, or new short-lived access tokens/refresh tokens, 'redirect_uri' is optional when you're using 'response_type=code' (such as for the standard code flow for server-side apps, or PKCE flow for client-side apps). When it is omitted, the user is presented with the authorization code directly on the Dropbox web site after authorizing the app, which they would then copy/paste into the third party app for it to complete the flow, that is, calling /oauth2/token to get the resulting access token/refresh token.

Thank you for your explanations. I integrated the authorization into our GUI and submitted the APP for production due to around 45,000 users of our plugin. How long does this test normally take? I currently have many users with problems and the support effort is currently very high. I hope that the app will be released for production soon so that users can use it normally again. The app is called: Backup-DropCloud Thanks in advance.

simatec1976 That should be processed within a few business days. If you need help with a production request you can always open a ticket via https://www.dropbox.com/developers/contact .

Greg-DB 

My request was denied because the app name doesn't match the plugin name.

Unfortunately, this name is already taken and I can't do anything about it

simatec1976 I just checked on this, and it looks like you already have an open support ticket for that, so they'll follow up with you there soon.

Greg-DB 

thx for your support.
Yes, I opened a ticket or replied to the rejection by email.
Unfortunately, the app can only be checked if you install the iot system iobroker.

That means there is no website or access to test it.
The whole thing is integrated in the plugin backitup for the iobroker.

Greg-DB 

I've come a long way now.

However, I'm hanging on refresh_token with PKCE.

How can I do a refresh with the VERIFICATION_CODE.

I didn't want to work with client_secret.

with client_secret the example looks like this:

curl https://api.dropbox.com/oauth2/token \
    -d grant_type=refresh_token \
    -d refresh_token=<REFRESH_TOKEN> \
    -u <APP_KEY>:<APP_SECRET>

Is there also a way to refresh_token with the VERIFICATION_CODE instead of the client_secret?

I really don't want the client_secet in the Source code

Hey simatec1976 

To use the /oauth2/token with a refresh token that was retrieved via the PKCE flow to get a new short-lived access token without using the app secret would look like this:

curl https://api.dropbox.com/oauth2/token \
    -d refresh_token=<REFRESH_TOKEN> \
    -d grant_type=refresh_token \
    -d client_id=<APP_KEY>