Oauth callback into several service instances

Question

We're using 3 service instances under a load balencer.&nbsp;In order to create an oauth session, we're using two endpoints:&nbsp;The first one is named `/start`. We are using this code:&nbsp;&nbsp;&nbsp;&nbsp;DbxAppInfo appInfo = new DbxAppInfo("---", "---");
DbxRequestConfig config = new DbxRequestConfig("---");
DbxWebAuth webAuth = new DbxWebAuth(config, appInfo);
        
HttpSession session = request.getSession(true);
String sessionKey = "dropbox-auth-csrf-token";
DbxSessionStore csrfTokenStore = new DbxStandardSessionStore(session, sessionKey);
        
String redirectUri = "http://localhost:8080/dropbox/cmng/dropbox/finish";
DbxWebAuth.Request authRequest = DbxWebAuth.newRequestBuilder()
        .withRedirectUri(redirectUri, csrfTokenStore).build();
        
String authorizeUrl = webAuth.authorize(authRequest);
//redirect to just created 'authorizeUrl'&nbsp;Shortly, we're creating a new url with our redirectURI.&nbsp;The last one is named `/finish`. We are using this code:&nbsp;&nbsp;&nbsp;&nbsp;DbxAppInfo appInfo = new DbxAppInfo("---", "---");
DbxRequestConfig config = new DbxRequestConfig("---");
DbxWebAuth webAuth = new DbxWebAuth(config, appInfo);
        
HttpSession session = request.getSession(true);
String sessionKey = "dropbox-auth-csrf-token";
DbxSessionStore csrfTokenStore = new DbxStandardSessionStore(session, sessionKey);
        
String redirectUri = "http://localhost:8080/dropbox/cmng/dropbox/finish";
DbxAuthFinish authFinish;
      
authFinish = webAuth.finishFromRedirect(redirectUri, csrfTokenStore, request.getParameterMap());
        
String accessToken = authFinish.getAccessToken();&nbsp;We don't know how this code will behave when a first request to `/start` is handled by one server instance and the callback to `/finish` is handle by another server instance.&nbsp;How would it behave?

living-jordi · Answer

There's no issue by now. It's just a thought we've figured out coding this code.

You've written down:

As long as all instances have access to the same session data, I would expect this to work.

As far I've been able to figure out, http sessions are per-instances linked. So, an instance is only allowd to have their owned sessions, isn't it?

Greg-DB · Answer

The code looks fine at a glance. Are you running in to any issues with this? As long as all instances have access to the same session data, I would expect this to work.
&nbsp;
Specifically, as a security measure, what's happening is that the web auth flow needs to check that the "state" value passed back with the redirect URI (in the finish step) matches the original "state" value that was created for this app authorization flow originally and stored in the user's session (in the start step).
&nbsp;
The SDK is open source so you can see what&nbsp;finishFromRedirect is doing, for example, if you want.

Greg-DB · Answer

I'm not familiar enough with Java's HttpSession, and this may also depend on your particular setup, so I'm afraid I can't offer much insight on that side of things.

Forum Discussion

Oauth callback into several service instances

3 Replies

About Dropbox API Support & Feedback

Related Content

Multiple Instances of dropbox.exe in Task Manager

Several xmlhttprequest: very slow

Files have disappeared from several folders

Desktop App Severely Affecting System Performance

problem initializing DropboxClient instance

Recent Discussions

/oauth2/authorize (code flow) redirects to http://www.dropbox.com/home instead of redirect_uri

Add id and .tag fields to DeletedMetadata in the API

Shared Link - Download in .NET

Dropbox API server root certificate changes for .Net

GetCurrentAccountAsync API Failing for some Team Members while using Impersonation