How to get refresh token without User interaction

Greg-DB 

Can you share more example in Spring boot for implementation of refresh token. Previous example shared by Здравко  was partially help full .

I am trying to figure out more that  "is 1 drop box  application be used across org ? "

makrand kulkarni Dropbox doesn't offer a Spring Boot sample in particular, but I'll pass this along as a feature request. I can't promise if or when that might be implemented though.

Greg-DB 

I am following Drop box documentation

https://www.dropbox.com/developers/documentation/http/documentation#oauth2-authorize

I am not able to get the "Code"  embedded in Redirect URI. Sample request is

GET Method

https://www.dropbox.com/oauth2/authorize?client_id=xxxxxx&token_access_type=offline&response_type=code&redirct_uri=https://eofynre1btpc2ny.m.pipedream.net&state=xyz

In response getting Html Code /Website in Postman

As Per Documentation it should provide me  Query response with Code

Any help will be appreciated.

Thanks

Hi makrand kulkarni,

As can be seen on documentation (and on your screenshot) "Because /oauth2/authorize is a web site, there is no direct return value". What is a web site? 🧐 Ooo... it's HTML. 😉 Read more carefully.

makrand kulkarni As Здравко indicated, /oauth2/authorize is a web page, not an API call, so you should not be accessing it programmatically. You should send the user there in their own system web browser to interactively click the button to authorize your app to access their account. If you specify a redirect URI, the user will be redirected to it upon authorizing the app and the app can parse that resulting redirected URI to retrieve the authorization code.

Hi Greg.

Somewhat this is still confusing for me.

I was following this example: 
https://github.com/dropbox/dropbox-sdk-python/blob/main/example/oauth/commandline-oauth-scopes.py#L81
and this guide:
https://developers.dropbox.com/oauth-guide

From your comment:

---

Greg-DB wrote:

If your app needs to maintain long-term access without the user manually re-authorizing it repeatedly, the app should request "offline" access so that it gets a refresh token. The refresh token doesn't expire and can be stored and used repeatedly to get new short-lived access tokens whenever needed, without the user manually reauthorizing the app.

and from the DropBox Oauth Guide:

> When using refresh tokens, your call to the /oauth2/token endpoint with the grant_type of authorization_code will return a short-lived access token and a refresh token, which should be securely stored.

so why does this endpoint return a new refresh token?

but as I understand - your comment is more correct - the Refresh Token is permanent and if I perform a "manual flow" like here:

https://github.com/dropbox/dropbox-sdk-python/blob/main/example/oauth/commandline-oauth-scopes.py#L18

and save the refresh token, I should be able to use it forever?

let's say I perform the above manual and initial OAuth flow (DropboxOAuth2FlowNoRedirect - in Python SDK), and save the refresh token and access token somewhere.

then, let's say I have a task - a script that re-runs periodically and needs to call DropBox API without user interaction - I make it read the previously saved Access and Request tokens, and make a call like this: 

https://github.com/dropbox/dropbox-sdk-python/blob/main/example/oauth/commandline-oauth-scopes.py#L79C1-L83C52

?

does this mean, that after the above Dropbox client operation, I don't get a new Access Token, but the one which I saved just becomes valid again?

both the AccessToken and Refresh Token stay valid and the same all the time?

AccessToken can even become expired for a long time, and you only need Refresh Token to make a new Dropbox API connection at any time?

Hi tkozuch,

As seems you haven't read entire documentation. /oauth2/token endpoint can be used for different things including initial token receiving from access code (note here code, no token) where you get refresh token and access token on one side and consecutive usage to get access token from refresh token (something the can be used repeatedly; the first case cannot - the code is for single time usage). For some more details in deep take a look here. That's for clarity only - when using SDK you don't need to call endpoints directly. So:

---

tkozuch wrote:

...
so why does this endpoint return a new refresh token?
...

---

When you start OAuth flow from "zero" (i.e. new code) you get new refresh token. You don't need to repeat it! You only need to do it once on linking time and after that proceed without further user interaction - then only new access token comes back. Actually the SDK takes care for this, you can ignore this part completely in your code.

---

tkozuch wrote:

...
and save the refresh token, I should be able to use it forever?
...

---

Yes, or till revoke either from your application or from user side.

---

tkozuch wrote:

...
both the AccessToken and Refresh Token stay valid and the same all the time?
...

---

Refresh token stay valid indefinitely while access token expire in time noted on receiving (typical 4 hours or so).

---

tkozuch wrote:

...
AccessToken can even become expired for a long time, and you only need Refresh Token to make a new Dropbox API connection at any time?

---

Almost... Once the existing access token expires, you need new access token for regular API work - that's what the refresh process is for. As I mentioned SDK takes care for this internal. To "refresh" the token you need application key at least and in some cases application secret (when non PKCE OAuth flow is used).

Hope this sheds additional light.