Forum Discussion

makrand kulkarni's avatar
makrand kulkarni
Explorer | Level 4
3 years ago

How to get refresh token without User interaction

Hello Team,

As Drop Box Access Token is invalid after 4 hr. I want to implement refresh token mechanism at Backend Java code without User Interaction i.e fully automated. so I have a requirement to get refresh token without User Interaction based on two parameter on UI

1 . App Key

2. Access Token Generated

Please share any link or documentation for same any Java code written ?

  • Greg-DB's avatar
    Greg-DB
    Icon for Dropbox Staff rankDropbox Staff

    It is not possible to get a refresh using an app key and access token programmatically. You can only get a refresh token using the OAuth app authorization flow.

     

    Likewise, it is not possible to fully automate the OAuth process where the user chooses to authorize the app and the app then receives the resulting access token and optional refresh token. This needs to be done manually by the user at least once. If your app needs to maintain long-term access without the user manually re-authorizing it repeatedly, the app should request "offline" access so that it gets a refresh token. The refresh token doesn't expire and can be stored and used repeatedly to get new short-lived access tokens whenever needed, without the user manually reauthorizing the app.

     

    You can find examples of this functionality in the Dropbox API v2 Java SDK here.

    • makrand kulkarni's avatar
      makrand kulkarni
      Explorer | Level 4

      Greg-DB,

       

      Thanks, I have one more query,  As Per Example Given, Auth Code needs to be Enter manually by User to get Access and Refresh Token, 

      For A Company Clients this could not be Implemented as there are multiple users which will use our application. 

      1  Is there any other solution where Auth code can be taken Internally by Application ?

      2. In which Parameter Auth Code can be taken in response of redirect-uri ?

      It will be great help on this . 

       

      • Здравко's avatar
        Здравко
        Legendary | Level 20

        makrand kulkarni wrote:

        ...

        1  Is there any other solution where Auth code can be taken Internally by Application ?

        ...


        As you already guessed, Yes, using redirect URI.

         


        makrand kulkarni wrote:

        ...

        2. In which Parameter Auth Code can be taken in response of redirect-uri ?

        ...


        You can take a look on a web example to take idea from or on general authorization doc.

        Good luck.

    • tkozuch's avatar
      tkozuch
      New member | Level 2

      Hi Greg.

      Somewhat this is still confusing for me.

      I was following this example: 
      https://github.com/dropbox/dropbox-sdk-python/blob/main/example/oauth/commandline-oauth-scopes.py#L81
      and this guide:
      https://developers.dropbox.com/oauth-guide

      From your comment:


      Greg-DB wrote:

      If your app needs to maintain long-term access without the user manually re-authorizing it repeatedly, the app should request "offline" access so that it gets a refresh token. The refresh token doesn't expire and can be stored and used repeatedly to get new short-lived access tokens whenever needed, without the user manually reauthorizing the app.

      and from the DropBox Oauth Guide:



      When using refresh tokens, your call to the /oauth2/token endpoint with the grant_type of authorization_code will return a short-lived access token and a refresh token, which should be securely stored.

      so why does this endpoint return a new refresh token?

      but as I understand - your comment is more correct - the Refresh Token is permanent and if I perform a "manual flow" like here:

      https://github.com/dropbox/dropbox-sdk-python/blob/main/example/oauth/commandline-oauth-scopes.py#L18

      and save the refresh token, I should be able to use it forever?

      let's say I perform the above manual and initial OAuth flow (DropboxOAuth2FlowNoRedirect - in Python SDK), and save the refresh token and access token somewhere.

      then, let's say I have a task - a script that re-runs periodically and needs to call DropBox API without user interaction - I make it read the previously saved Access and Request tokens, and make a call like this: 

      https://github.com/dropbox/dropbox-sdk-python/blob/main/example/oauth/commandline-oauth-scopes.py#L79C1-L83C52

      ?

      does this mean, that after the above Dropbox client operation, I don't get a new Access Token, but the one which I saved just becomes valid again?

      both the AccessToken and Refresh Token stay valid and the same all the time?

      AccessToken can even become expired for a long time, and you only need Refresh Token to make a new Dropbox API connection at any time?

      • Здравко's avatar
        Здравко
        Legendary | Level 20

        Hi tkozuch,

        As seems you haven't read entire documentation. /oauth2/token endpoint can be used for different things including initial token receiving from access code (note here code, no token) where you get refresh token and access token on one side and consecutive usage to get access token from refresh token (something the can be used repeatedly; the first case cannot - the code is for single time usage). For some more details in deep take a look here. That's for clarity only - when using SDK you don't need to call endpoints directly. So:


        tkozuch wrote:

        ...
        so why does this endpoint return a new refresh token?
        ...


        When you start OAuth flow from "zero" (i.e. new code) you get new refresh token. You don't need to repeat it! You only need to do it once on linking time and after that proceed without further user interaction - then only new access token comes back. Actually the SDK takes care for this, you can ignore this part completely in your code.

         


        tkozuch wrote:

        ...
        and save the refresh token, I should be able to use it forever?
        ...


        Yes, or till revoke either from your application or from user side.

         


        tkozuch wrote:

        ...
        both the AccessToken and Refresh Token stay valid and the same all the time?
        ...


        Refresh token stay valid indefinitely while access token expire in time noted on receiving (typical 4 hours or so).

         


        tkozuch wrote:

        ...
        AccessToken can even become expired for a long time, and you only need Refresh Token to make a new Dropbox API connection at any time?


        Almost... Once the existing access token expires, you need new access token for regular API work - that's what the refresh process is for. As I mentioned SDK takes care for this internal. To "refresh" the token you need application key at least and in some cases application secret (when non PKCE OAuth flow is used).

        Hope this sheds additional light.

  • Здравко's avatar
    Здравко
    Legendary | Level 20

    Hi makrand kulkarni,

    😁 You are in  confusion. There is no way to get refresh token based on access token; the sequence is opposite! You have to get a refresh token and after that you SDK will take care for the rest (including access token generation. Take a look here and here for more info.

    Hope this helps.

About Discuss Dropbox Developer & API

Node avatar for Discuss Dropbox Developer & API
Make connections with other developers804 PostsLatest Activity: 4 days ago
217 Following

If you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X or Facebook.

For more info on available support options for your Dropbox plan, see this article.

If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!