We’re Still Here to Help (Even Over the Holidays!) - find out more here.
Forum Discussion
Access token generated with refresh token got permissions revoked
As per the dropbox offline flow, I've set up a flow where I've generated a refresh token after the owner of the dropbox (me) - Generated an access code using this URL https://www.dropbox.com/oauth...
Greg-DB
Luckily I still have my old refresh token and I performed another request and this is what I got back.
Unable to write file at location: uploads/1.txt. Client error: `POST https://content.dropboxapi.com/2/files/upload` resulted in a `401 Unauthorized` response:\n
{"error_summary": "missing_scope/...", "error": {".tag": "missing_scope", "required_scope": "files.content.write"}}
Please keep in mind that I was not getting this 401 error before and I was successfully going throw the whole flow.
Hence my explanation that my refresh token generated an access token that does not have all the permissions.
Greg-DB
Dropbox Community Moderator
Dropbox Community Moderatorandrejpet Thanks for following up. A 'missing_scope' error indicates that while the app itself may be permitted to use that scope, the particular access token you're using to make the API call does not have that scope granted. Also, be aware that just adding a scope to your app via the App Console does not retroactively grant that scope to existing access tokens or refresh tokens. That being the case, to make any API calls that require that scope, you'd need to to get a new access token/refresh token with that scope included. Refer to the OAuth Guide and authorization documentation for more information.
So, in this case that should mean that either:
- The particular refresh token used to retrieve that access token was not originally authorized with the 'files.content.write' scope, or
- The /oauth2/token call with 'grant_type=refresh_token' used to retrieve that access token set the 'scope' parameter to a value not containing the 'files.content.write' scope, meaning that the resulting access token would not have that scope.
To fix 1, you'd need to re-authorize the app with the OAuth app authorization flow again to get a new refresh token/access token with that scope.
If 1 does not apply though and that refresh token does already have that scope, to fix 2, you'd only need to make that /oauth2/token call with 'grant_type=refresh_token' again but include the needed scope in the 'scope' parameter, or omit the 'scope' parameter entirely.
For reference, I just tested this functionality out myself and it is working as expected for me. If something isn't working properly, please share the full steps/code to reproduce the issue so we can investigate.
Could be that during the dev process I accidentally created a refresh token without the app having valid permissions.
Can we keep this discussion alive just in case something pops up again?
I just want confirmation that the refresh token lives forever.
Thanks for your replies, in the end I re-started the whole process
1. Generated an access code
2. Requested a refresh token
3. Used the refresh token to get a new access token on each upload
4. Uploaded files.
Was pretty sure I got the whole flow right from the get go, this surprised me as I did not recall creating an app without permissions, but let's see if the token scope goes missing again.
I've saved all the creds so if anything pops up I'll contact you again.
Thank you for your help.- Greg-DB
Dropbox API refresh tokens do not expire automatically, but they can be revoked on demand by the app or user.
And yes, you can reply here again if/when needed.
About Discuss Dropbox Developer & API
Make connections with other developers
