We Want to Hear From You! What Do You Want to See on the Community? Tell us here!
Forum Discussion
Solved
Using refresh token without client secret
I am using the PKCE flow for my electron based desktop & web app app and am trying to migrate for the new short lived tokens everywhere flow. I am able to get a refresh token by providing
token_access_type=offline
Now I am wondering how I can request a new accessToken without exposing my APP_SECRET (https://www.dropbox.com/developers/documentation/http/documentation#oauth2-token).
Is there a way to do so?
Yes, the PKCE flow in particular is a version of the OAuth 2 authorization flow that doesn't require the app secret, meant for client-side apps where an app secret can't be kept secret. It does so by using a 'code_challenge' on the /oauth2/authorize step and corresponding 'code_verifier' on the following /oauth2/token step, instead of the app secret. Likewise, it does not require the app secret when performing a refresh call. You can find more information in the OAuth Guide and authorization documentation.
Specifically, the /oauth2/token request using a refresh token that was retrieved via the PKCE flow to get a new short-lived access token without using the app secret would look like this:
curl https://api.dropbox.com/oauth2/token \ -d refresh_token=<REFRESH_TOKEN> \ -d grant_type=refresh_token \ -d client_id=<APP_KEY>
4 Replies
- Greg-DB
Dropbox Community Moderator
Yes, the PKCE flow in particular is a version of the OAuth 2 authorization flow that doesn't require the app secret, meant for client-side apps where an app secret can't be kept secret. It does so by using a 'code_challenge' on the /oauth2/authorize step and corresponding 'code_verifier' on the following /oauth2/token step, instead of the app secret. Likewise, it does not require the app secret when performing a refresh call. You can find more information in the OAuth Guide and authorization documentation.
Specifically, the /oauth2/token request using a refresh token that was retrieved via the PKCE flow to get a new short-lived access token without using the app secret would look like this:
curl https://api.dropbox.com/oauth2/token \ -d refresh_token=<REFRESH_TOKEN> \ -d grant_type=refresh_token \ -d client_id=<APP_KEY> Thanks for the quick response. Unfortunately this leads to an `invalid_request` error (400):
```The request parameters do not match any of the supported authorization flows. Please refer to the API documentation for the correct parameters.
```
Never mind! I had the wrong Content-Type header set. Seems to work fine now. Thank you very much!
Maybe this should be added to the documentation under the examples section?
- Greg-DB
Thanks for following up. I'm glad to hear you got this working.
Yes, I've asked the team to add that example to the documentation.
About Dropbox API Support & Feedback
Find help with the Dropbox API from other developers.
