<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic OAuth2 w/ refresh tokens for hybrid apps in Discuss Dropbox Developer &amp; API</title>
    <link>https://www.dropboxforum.com/t5/Discuss-Dropbox-Developer-API/OAuth2-w-refresh-tokens-for-hybrid-apps/m-p/512806#M1816</link>
    <description>&lt;P&gt;I have a little Cordova&lt;FONT size="1 2 3 4 5 6 7"&gt; (I know react-native is cool now, but I strongly prefer Vue)&lt;/FONT&gt; app for Android+browser that uses Dropbox for sync, and for both platforms does auth by getting an OAuth2 bearer token using the javascript SDK (calling&amp;nbsp;&lt;SPAN&gt;getAuthenticationUrl() w/ the appropriate callback, and navigating to the result).&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;From what I gather, the new API changes towards short-lived tokens mean that a) no matter what, browser apps will have to do a manual relogin every 4 hrs (though it might just be an insta-redirect with no manual user re-entry of credentials).&lt;/P&gt;&lt;P&gt;DropBoxInc's intent is that mobile apps that want long-lived access also request a refresh token, with which you can request future short-lived tokens.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;But will the Javascript SDK&lt;SPAN&gt;&amp;nbsp;(which I imagine is what most hybrid apps use) support this? I tried manually appending&amp;nbsp;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;&lt;P class="p1"&gt;&lt;EM&gt;token_access_type=offline&amp;nbsp;&lt;/EM&gt;to the authentication URL returned by&amp;nbsp;&lt;SPAN&gt;getAuthenticationUrl, but at the page:&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;&lt;P class="p1"&gt;&amp;nbsp;&lt;/P&gt;&lt;P class="p1"&gt;&lt;A href="https://www.dropbox.com/oauth2/authorize?response_type=token&amp;amp;token_access_type=online&amp;amp;client_id=$myclientid&amp;amp;redirect_uri=$myworkingredirect" target="_blank" rel="noopener"&gt;https://www.dropbox.com/oauth2/authorize?response_type=token&amp;amp;&lt;STRONG&gt;token_access_type=offline&lt;/STRONG&gt;&amp;amp;client_id=$myclientid&amp;amp;redirect_uri=$myworkingredirect&lt;/A&gt;&lt;/P&gt;&lt;P class="p1"&gt;&amp;nbsp;&lt;/P&gt;&lt;P class="p1"&gt;I get '&lt;EM&gt;Offline access disallowed for OAuth2 token flow ("response_type" can't be "token").'&lt;/EM&gt;&lt;/P&gt;&lt;P class="p1"&gt;&amp;nbsp;&lt;/P&gt;&lt;P class="p1"&gt;But this would seem to mean that any cordova/capacitor/phonegap/hybrid apps (that rely on the javascript sdk for low-friction access to the dropbox API) are doomed with asking users to re-auth every 4hrs?&lt;/P&gt;</description>
    <pubDate>Mon, 12 Apr 2021 10:22:44 GMT</pubDate>
    <dc:creator>blobwriter</dc:creator>
    <dc:date>2021-04-12T10:22:44Z</dc:date>
    <item>
      <title>OAuth2 w/ refresh tokens for hybrid apps</title>
      <link>https://www.dropboxforum.com/t5/Discuss-Dropbox-Developer-API/OAuth2-w-refresh-tokens-for-hybrid-apps/m-p/512806#M1816</link>
      <description>&lt;P&gt;I have a little Cordova&lt;FONT size="1 2 3 4 5 6 7"&gt; (I know react-native is cool now, but I strongly prefer Vue)&lt;/FONT&gt; app for Android+browser that uses Dropbox for sync, and for both platforms does auth by getting an OAuth2 bearer token using the javascript SDK (calling&amp;nbsp;&lt;SPAN&gt;getAuthenticationUrl() w/ the appropriate callback, and navigating to the result).&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;From what I gather, the new API changes towards short-lived tokens mean that a) no matter what, browser apps will have to do a manual relogin every 4 hrs (though it might just be an insta-redirect with no manual user re-entry of credentials).&lt;/P&gt;&lt;P&gt;DropBoxInc's intent is that mobile apps that want long-lived access also request a refresh token, with which you can request future short-lived tokens.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;But will the Javascript SDK&lt;SPAN&gt;&amp;nbsp;(which I imagine is what most hybrid apps use) support this? I tried manually appending&amp;nbsp;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;&lt;P class="p1"&gt;&lt;EM&gt;token_access_type=offline&amp;nbsp;&lt;/EM&gt;to the authentication URL returned by&amp;nbsp;&lt;SPAN&gt;getAuthenticationUrl, but at the page:&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;&lt;P class="p1"&gt;&amp;nbsp;&lt;/P&gt;&lt;P class="p1"&gt;&lt;A href="https://www.dropbox.com/oauth2/authorize?response_type=token&amp;amp;token_access_type=online&amp;amp;client_id=$myclientid&amp;amp;redirect_uri=$myworkingredirect" target="_blank" rel="noopener"&gt;https://www.dropbox.com/oauth2/authorize?response_type=token&amp;amp;&lt;STRONG&gt;token_access_type=offline&lt;/STRONG&gt;&amp;amp;client_id=$myclientid&amp;amp;redirect_uri=$myworkingredirect&lt;/A&gt;&lt;/P&gt;&lt;P class="p1"&gt;&amp;nbsp;&lt;/P&gt;&lt;P class="p1"&gt;I get '&lt;EM&gt;Offline access disallowed for OAuth2 token flow ("response_type" can't be "token").'&lt;/EM&gt;&lt;/P&gt;&lt;P class="p1"&gt;&amp;nbsp;&lt;/P&gt;&lt;P class="p1"&gt;But this would seem to mean that any cordova/capacitor/phonegap/hybrid apps (that rely on the javascript sdk for low-friction access to the dropbox API) are doomed with asking users to re-auth every 4hrs?&lt;/P&gt;</description>
      <pubDate>Mon, 12 Apr 2021 10:22:44 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Discuss-Dropbox-Developer-API/OAuth2-w-refresh-tokens-for-hybrid-apps/m-p/512806#M1816</guid>
      <dc:creator>blobwriter</dc:creator>
      <dc:date>2021-04-12T10:22:44Z</dc:date>
    </item>
    <item>
      <title>Re: OAuth2 w/ refresh tokens for hybrid apps</title>
      <link>https://www.dropboxforum.com/t5/Discuss-Dropbox-Developer-API/OAuth2-w-refresh-tokens-for-hybrid-apps/m-p/512888#M1817</link>
      <description>&lt;P&gt;No, such apps are not forced to have the user re-authorize every four hours. Client-side apps like this can request "offline" access to get refresh tokens if needed. There's an example of requesting offline access from a client-side app (a front-end browser app, in this sample) using the official Dropbox API v2 JavaScript SDK &lt;A href="https://github.com/dropbox/dropbox-sdk-js/blob/main/examples/javascript/pkce-browser/index.html" target="_self"&gt;here&lt;/A&gt;.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;The issue with the authorization URL you constructed is that the PKCE flow (which is how client-side apps can get offline access) is a form of the "response_type=code" flow, not "response_type=token".&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;I recommend letting the SDK build that URL for you, like &lt;A href="https://github.com/dropbox/dropbox-sdk-js/blob/main/examples/javascript/pkce-browser/index.html#L83" target="_self"&gt;in the example here&lt;/A&gt;. If you do want to build that directly though, you can find &lt;A href="https://www.dropbox.com/developers/documentation/http/documentation#authorization" target="_self"&gt;the full authorization documentation here&lt;/A&gt;.&lt;/P&gt;</description>
      <pubDate>Mon, 12 Apr 2021 15:10:44 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Discuss-Dropbox-Developer-API/OAuth2-w-refresh-tokens-for-hybrid-apps/m-p/512888#M1817</guid>
      <dc:creator>Greg-DB</dc:creator>
      <dc:date>2021-04-12T15:10:44Z</dc:date>
    </item>
    <item>
      <title>Re: OAuth2 w/ refresh tokens for hybrid apps</title>
      <link>https://www.dropboxforum.com/t5/Discuss-Dropbox-Developer-API/OAuth2-w-refresh-tokens-for-hybrid-apps/m-p/513675#M1820</link>
      <description>&lt;P&gt;Thanks for the response Greg, always impressed with your responsiveness here.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;So I got this working (the PKCE flow). However, having cached the access token in a local storage medium, requests to the Dropbox API&amp;nbsp; the next day&amp;nbsp; are rejected with a 401 error and&amp;nbsp;&lt;SPAN&gt;"expired_access_token". &lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Ok, so I just have to write a little handler to catch it and ask for a new access_token using the refresh token (also stored). Simple enough. But how do I test this code? Can I request very-short-life-tokens (around 60s) just to test this handler? I know you can manually revoke access_tokens using authTokenRevoke(), but doing that seems to also revoke the associated refresh_token, so doesn't allow for testing of the (expired_access_token+valid_refresh_token) code path.&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Edit:&lt;/SPAN&gt;&lt;SPAN&gt;&amp;nbsp;it seems that one should just pass the refresh token to the DropboxAuth object (which is, in turn, passed to the Dropbox object at instantiation), and DropboxAuth should(?) magically refresh access_tokens for me without having to write my own code. But just to clarify:&lt;/SPAN&gt;&lt;/P&gt;&lt;OL&gt;&lt;LI&gt;&lt;SPAN&gt;the refresh_token is not itself single-use right? &lt;/SPAN&gt;&lt;SPAN&gt;I don't have to somehow figure out when the&amp;nbsp;DropboxAuth does a token refresh, in order to pull the (possibly new) refresh_token back out and overwrite the old refresh_token in storage? &lt;/SPAN&gt;&lt;/LI&gt;&lt;LI&gt;&lt;SPAN&gt;&lt;SPAN&gt;Instead, the actual case is that a new refresh_token is only received when you make the&amp;nbsp;dbxAuth.getAccessTokenFromCode() call, using a valid pkce code?&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/LI&gt;&lt;/OL&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Thu, 15 Apr 2021 12:59:44 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Discuss-Dropbox-Developer-API/OAuth2-w-refresh-tokens-for-hybrid-apps/m-p/513675#M1820</guid>
      <dc:creator>blobwriter</dc:creator>
      <dc:date>2021-04-15T12:59:44Z</dc:date>
    </item>
    <item>
      <title>Re: OAuth2 w/ refresh tokens for hybrid apps</title>
      <link>https://www.dropboxforum.com/t5/Discuss-Dropbox-Developer-API/OAuth2-w-refresh-tokens-for-hybrid-apps/m-p/513709#M1821</link>
      <description>&lt;P&gt;There isn't a way to force an access token to expire soon or immediately, but I'll pass this along as a feature request. I can't promise if or when that might be implemented though. So, to test the actual 'expired_access_token' error for any particular new short-lived access token, you would need to wait four hours. (You don't need to wait to test the refresh flow itself though; you can perform a refresh at any point.)&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;And yes, that's correct, the SDK code will handle the refresh for you, and refresh tokens are not single-use and Dropbox does not return a new refresh token on every refresh, so you don't need to retrieve and store and new refresh token every time. You only get a refresh token once per authorization flow, from getAccessTokenFromCode.&lt;/P&gt;</description>
      <pubDate>Thu, 15 Apr 2021 15:00:58 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Discuss-Dropbox-Developer-API/OAuth2-w-refresh-tokens-for-hybrid-apps/m-p/513709#M1821</guid>
      <dc:creator>Greg-DB</dc:creator>
      <dc:date>2021-04-15T15:00:58Z</dc:date>
    </item>
  </channel>
</rss>

