One month down in 2025: How are your resolutions coming along? Check out how to get back on track here.
Forum Discussion
living-jordi
8 years agoExplorer | Level 4
Oauth callback into several service instances
We're using 3 service instances under a load balencer.
In order to create an oauth session, we're using two endpoints:
The first one is named `/start`. We are using this code:
DbxAppInfo appInfo = new DbxAppInfo("---", "---"); DbxRequestConfig config = new DbxRequestConfig("---"); DbxWebAuth webAuth = new DbxWebAuth(config, appInfo); HttpSession session = request.getSession(true); String sessionKey = "dropbox-auth-csrf-token"; DbxSessionStore csrfTokenStore = new DbxStandardSessionStore(session, sessionKey); String redirectUri = "http://localhost:8080/dropbox/cmng/dropbox/finish"; DbxWebAuth.Request authRequest = DbxWebAuth.newRequestBuilder() .withRedirectUri(redirectUri, csrfTokenStore).build(); String authorizeUrl = webAuth.authorize(authRequest); //redirect to just created 'authorizeUrl'
Shortly, we're creating a new url with our redirectURI.
The last one is named `/finish`. We are using this code:
DbxAppInfo appInfo = new DbxAppInfo("---", "---"); DbxRequestConfig config = new DbxRequestConfig("---"); DbxWebAuth webAuth = new DbxWebAuth(config, appInfo); HttpSession session = request.getSession(true); String sessionKey = "dropbox-auth-csrf-token"; DbxSessionStore csrfTokenStore = new DbxStandardSessionStore(session, sessionKey); String redirectUri = "http://localhost:8080/dropbox/cmng/dropbox/finish"; DbxAuthFinish authFinish; authFinish = webAuth.finishFromRedirect(redirectUri, csrfTokenStore, request.getParameterMap()); String accessToken = authFinish.getAccessToken();
We don't know how this code will behave when a first request to `/start` is handled by one server instance and the callback to `/finish` is handle by another server instance.
How would it behave?
- Greg-DB
Dropbox Staff
The code looks fine at a glance. Are you running in to any issues with this? As long as all instances have access to the same session data, I would expect this to work.
Specifically, as a security measure, what's happening is that the web auth flow needs to check that the "state" value passed back with the redirect URI (in the finish step) matches the original "state" value that was created for this app authorization flow originally and stored in the user's session (in the start step).
The SDK is open source so you can see what finishFromRedirect is doing, for example, if you want.
- living-jordiExplorer | Level 4
There's no issue by now. It's just a thought we've figured out coding this code.
You've written down:
As long as all instances have access to the same session data, I would expect this to work.As far I've been able to figure out, http sessions are per-instances linked. So, an instance is only allowd to have their owned sessions, isn't it?
- Greg-DB
Dropbox Staff
I'm not familiar enough with Java's HttpSession, and this may also depend on your particular setup, so I'm afraid I can't offer much insight on that side of things.
About Dropbox API Support & Feedback
Find help with the Dropbox API from other developers.5,941 PostsLatest Activity: 6 days ago
If you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X or Facebook.
For more info on available support options for your Dropbox plan, see this article.
If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!