Need to see if your shared folder is taking up space on your dropbox 👨💻? Find out how to check here.
Forum Discussion
Solved
Oauth2 refresh token question - what happens when the refresh token expires?
I've been testing the Dropbox OAuth2 endpoints for a few days and I have read the documentation provided directly by Dropbox. However, it is not clear to me how I'm supposed to handle the acquisition...
While Dropbox "short-lived access tokens" do expire automatically, "refresh tokens" do not. When your app gets a refresh token, it can use that to continuously get new short-lived access tokens whenever needed, without further manual user intervention. (The Python SDK actually does that for you automatically.)
So, since Dropbox refresh tokens do not expire automatically they can and should be re-used repeatedly. The app will not receive a new refresh token every time it requests a new short-lived access token. It should just store and continue re-using the same one.
They can be revoked manually though, either by the user (e.g., via https://www.dropbox.com/account/connected_apps ) or the app, at which point the app would need to prompt the user to re-authorize the app if they wish to use it again.
The documentation really should address these issues. It is not obvious how the refresh mechanism works and a few sentences would prevent a lot of confusion. The code example could use a comment as well for the same reason.
"Refresh tokens can be used multiple times to create new tokens." More explanation would be much better, but even something as simple as that would have saved several hours of my time. This detail is not explained anywhere in the documentation and it's not an obvious piece of information considering many oauth refresh token implementations do not work the same way.
Greg-DB
Dropbox Community Moderator
Dropbox Community ModeratorThanks for the feedback! I'll ask the team to clarify this in the documentation.
It looks like some of the documentation has been updated, but I didn't see anything in the Oauth guide, which would be the best place to explain the process. I've been asked a few times about how to fix this in code and the solution is really straight forward to explain via the code itself.
Go here to see a PKCE authorization example script, which has the following code:
#!/usr/bin/env python3 import dropbox from dropbox import DropboxOAuth2FlowNoRedirect ''' Populate your app key in order to run this locally ''' APP_KEY = "" auth_flow = DropboxOAuth2FlowNoRedirect(APP_KEY, use_pkce=True, token_access_type='offline') authorize_url = auth_flow.start() print("1. Go to: " + authorize_url) print("2. Click \"Allow\" (you might have to log in first).") print("3. Copy the authorization code.") auth_code = input("Enter the authorization code here: ").strip() try: oauth_result = auth_flow.finish(auth_code) except Exception as e: print('Error: %s' % (e,)) exit(1) with dropbox.Dropbox(oauth2_refresh_token=oauth_result.refresh_token, app_key=APP_KEY) as dbx: dbx.users_get_current_account() print("Successfully set up client!")Now, all you need to do is this:
# View the details of the oauth result print(f'Access Token = {oauth_result.access_token}') print(f'Account ID = {oauth_result.account_id}') print(f'Refresh Token = {oauth_result.refresh_token}') print(f'Expiration = {oauth_result.expiration}') print(f'Scope = {oauth_result.scope}') # Store this to use over and over whenever an access token expires save_somewhere(oauth_result.refresh_token)The SDK will automatically request new access tokens as long as you supply the refresh token. Other scripts can use the refresh token as well, e.g.:
import dropbox APP_KEY = '<your app key>' refresh_token = get_refresh_token_from_wherever_you_put_it() with dropbox.Dropbox(oauth2_refresh_token=oauth_result.refresh_token, app_key=APP_KEY) as dbx: dbx.users_get_current_account() print("Successfully set up client!")
About Dropbox API Support & Feedback
Find help with the Dropbox API from other developers.
