<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Oauth2 code short lived- how to implement correctly from B2B? in Dropbox API Support &amp; Feedback</title>
    <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Oauth2-code-short-lived-how-to-implement-correctly-from-B2B/m-p/492574#M24623</link>
    <description>That is what I did. However usually the refresh token is also short lived. You are saying I should persist the refresh token and use it even if my service restarts, to fetch a new auth token?</description>
    <pubDate>Mon, 01 Feb 2021 17:59:18 GMT</pubDate>
    <dc:creator>pwnell</dc:creator>
    <dc:date>2021-02-01T17:59:18Z</dc:date>
    <item>
      <title>Oauth2 code short lived- how to implement correctly from B2B?</title>
      <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Oauth2-code-short-lived-how-to-implement-correctly-from-B2B/m-p/491994#M24603</link>
      <description>&lt;P&gt;I am rewriting the old authorization code of my Windows service that communicates with Dropbox on behalf of a single, fixed user account. I have hit a snag. Usually I use the client credentials grant type when implementing a B2B oauth2 based interface where there is no user interaction, no web server. It seems like I am stuck with authorization grant which causes issues.&lt;BR /&gt;&lt;BR /&gt;I have manually requested a code going to the &lt;A href="http://www.Dropbox.com/oauth2/authorize" target="_blank" rel="noopener"&gt;www.Dropbox.com/oauth2/authorize&lt;/A&gt; endpoint in a web browser, got the code and tried to use that as initial code when requesting an auth grant, followed by refresh tokens. The problem is that this code is short lived. So my service works for a couple of hours then fail when it fails to get a refresh token and tries to do another auth grant using that code.&lt;BR /&gt;&lt;BR /&gt;So how am I to implement an oauth2 flow in Dropbox with no redirect URL/web server/client interaction?&lt;/P&gt;</description>
      <pubDate>Tue, 02 Feb 2021 07:48:06 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Oauth2-code-short-lived-how-to-implement-correctly-from-B2B/m-p/491994#M24603</guid>
      <dc:creator>pwnell</dc:creator>
      <dc:date>2021-02-02T07:48:06Z</dc:date>
    </item>
    <item>
      <title>Re: Oauth2 code short lived- how to implement correctly from B2B?</title>
      <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Oauth2-code-short-lived-how-to-implement-correctly-from-B2B/m-p/492533#M24612</link>
      <description>&lt;P&gt;The updated Dropbox app authorization flow does now use short-lived access tokens and refresh tokens. In either implementation, the initial authorization does require some manual user interaction.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;With the new functionality, if you need long-term access (that is, longer than four hours) without further manual interaction after the initial authorization, you should request "offline" access. That way, during the initial authorization your app will&amp;nbsp;receive both a short-lived access token as well as a refresh token.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Then, when the current short-lived access token has expired, the app should use the refresh token to request a new short-lived access token, by calling /oauth2/token with 'grant_type=refresh_token'. This step can be done entirely programmatically, without additional manual user interaction.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;You can find more information in the following resources:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;A href="https://www.dropbox.com/developers/documentation/http/documentation#authorization" target="_self"&gt;https://www.dropbox.com/developers/documentation/http/documentation#authorization&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://www.dropbox.com/lp/developers/reference/oauth-guide" target="_self"&gt;https://www.dropbox.com/lp/developers/reference/oauth-guide&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://dropbox.tech/developers/migrating-app-permissions-and-access-tokens" target="_self"&gt;https://dropbox.tech/developers/migrating-app-permissions-and-access-tokens&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;</description>
      <pubDate>Mon, 01 Feb 2021 16:50:01 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Oauth2-code-short-lived-how-to-implement-correctly-from-B2B/m-p/492533#M24612</guid>
      <dc:creator>Greg-DB</dc:creator>
      <dc:date>2021-02-01T16:50:01Z</dc:date>
    </item>
    <item>
      <title>Re: Oauth2 code short lived- how to implement correctly from B2B?</title>
      <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Oauth2-code-short-lived-how-to-implement-correctly-from-B2B/m-p/492574#M24623</link>
      <description>That is what I did. However usually the refresh token is also short lived. You are saying I should persist the refresh token and use it even if my service restarts, to fetch a new auth token?</description>
      <pubDate>Mon, 01 Feb 2021 17:59:18 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Oauth2-code-short-lived-how-to-implement-correctly-from-B2B/m-p/492574#M24623</guid>
      <dc:creator>pwnell</dc:creator>
      <dc:date>2021-02-01T17:59:18Z</dc:date>
    </item>
    <item>
      <title>Re: Oauth2 code short lived- how to implement correctly from B2B?</title>
      <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Oauth2-code-short-lived-how-to-implement-correctly-from-B2B/m-p/492579#M24624</link>
      <description>&lt;P&gt;Yes, you should store and re-use the refresh token repeatedly. (Dropbox refresh tokens are not short-lived; they do not expire by themselves, though they can be revoked on demand by the user or app.)&lt;/P&gt;</description>
      <pubDate>Mon, 01 Feb 2021 18:26:30 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Oauth2-code-short-lived-how-to-implement-correctly-from-B2B/m-p/492579#M24624</guid>
      <dc:creator>Greg-DB</dc:creator>
      <dc:date>2021-02-01T18:26:30Z</dc:date>
    </item>
    <item>
      <title>Re: Oauth2 code short lived- how to implement correctly from B2B?</title>
      <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Oauth2-code-short-lived-how-to-implement-correctly-from-B2B/m-p/496404#M24737</link>
      <description>&lt;P&gt;Seems like I spoke too soon. &amp;nbsp;It worked for a week or two but now the refresh token expired and I had to do the manual get token, then get refresh token, add to my code, restart the service routing which is just not cool.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I got&amp;nbsp;&lt;SPAN&gt;HTTP Status code Unauthorized back after the refresh token worked fine for a while.&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Sun, 14 Feb 2021 18:12:08 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Oauth2-code-short-lived-how-to-implement-correctly-from-B2B/m-p/496404#M24737</guid>
      <dc:creator>pwnell</dc:creator>
      <dc:date>2021-02-14T18:12:08Z</dc:date>
    </item>
    <item>
      <title>Re: Oauth2 code short lived- how to implement correctly from B2B?</title>
      <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Oauth2-code-short-lived-how-to-implement-correctly-from-B2B/m-p/496585#M24741</link>
      <description>&lt;P&gt;Dropbox OAuth 2 refresh tokens don't expire by themselves, but there are a number of ways they can become invalid.&amp;nbsp;For example:&lt;/P&gt;
&lt;UL class="listtype-bullet listindent1 list-bullet1"&gt;
&lt;LI&gt;&lt;SPAN class=" author-d-42z69zz85zx9z84zz79zvz66zz71z4yz65zz67znhz79zc7fz89zz67z5z82zikmz70zz75ztz72zz83zuyz68zz122zz69z9z122zz122zv35e"&gt;the user or team admin can revoke all access/refresh tokens for an app by unlinking it on any of the following Dropbox web pages:&lt;/SPAN&gt;&lt;/LI&gt;
&lt;UL class="listtype-bullet listindent2 list-bullet2"&gt;
&lt;LI&gt;&lt;SPAN class="attrlink url author-d-42z69zz85zx9z84zz79zvz66zz71z4yz65zz67znhz79zc7fz89zz67z5z82zikmz70zz75ztz72zz83zuyz68zz122zz69z9z122zz122zv35e"&gt;&lt;A class="attrlink" href="https://www.dropbox.com/account/connected_apps" target="_blank" rel="noreferrer nofollow noopener" data-target-href="https://www.dropbox.com/account/connected_apps"&gt;the Connected apps page&lt;/A&gt;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN class="attrlink url author-d-42z69zz85zx9z84zz79zvz66zz71z4yz65zz67znhz79zc7fz89zz67z5z82zikmz70zz75ztz72zz83zuyz68zz122zz69z9z122zz122zv35e"&gt;&lt;A class="attrlink" href="https://www.dropbox.com/security_checkup" target="_blank" rel="noreferrer nofollow noopener" data-target-href="https://www.dropbox.com/security_checkup"&gt;the Security checkup page&lt;/A&gt;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN class="attrlink url author-d-42z69zz85zx9z84zz79zvz66zz71z4yz65zz67znhz79zc7fz89zz67z5z82zikmz70zz75ztz72zz83zuyz68zz122zz69z9z122zz122zv35e"&gt;&lt;A class="attrlink" href="https://www.dropbox.com/team/admin/settings/team_apps" target="_blank" rel="noreferrer nofollow noopener" data-target-href="https://www.dropbox.com/team/admin/settings/team_apps"&gt;the Team apps page&lt;/A&gt;&lt;/SPAN&gt;&lt;SPAN class=" author-d-42z69zz85zx9z84zz79zvz66zz71z4yz65zz67znhz79zc7fz89zz67z5z82zikmz70zz75ztz72zz83zuyz68zz122zz69z9z122zz122zv35e"&gt; on &lt;/SPAN&gt;&lt;SPAN class="attrlink url author-d-42z69zz85zx9z84zz79zvz66zz71z4yz65zz67znhz79zc7fz89zz67z5z82zikmz70zz75ztz72zz83zuyz68zz122zz69z9z122zz122zv35e"&gt;&lt;A class="attrlink" href="https://www.dropbox.com/team/admin/settings?role=work" target="_blank" rel="noreferrer nofollow noopener" data-target-href="https://www.dropbox.com/team/admin/settings?role=work"&gt;the Settings section of Business Admin console&lt;/A&gt;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN class=" author-d-42z69zz85zx9z84zz79zvz66zz71z4yz65zz67znhz79zc7fz89zz67z5z82zikmz70zz75ztz72zz83zuyz68zz122zz69z9z122zz122zv35e"&gt;the team member’s page on &lt;/SPAN&gt;&lt;SPAN class="attrlink url author-d-42z69zz85zx9z84zz79zvz66zz71z4yz65zz67znhz79zc7fz89zz67z5z82zikmz70zz75ztz72zz83zuyz68zz122zz69z9z122zz122zv35e"&gt;&lt;A class="attrlink" href="https://www.dropbox.com/team/admin/members?role=work" target="_blank" rel="noreferrer nofollow noopener" data-target-href="https://www.dropbox.com/team/admin/members?role=work"&gt;the Members section of the Business Admin console&lt;/A&gt;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;LI&gt;&lt;SPAN class=" author-d-42z69zz85zx9z84zz79zvz66zz71z4yz65zz67znhz79zc7fz89zz67z5z82zikmz70zz75ztz72zz83zuyz68zz122zz69z9z122zz122zv35e"&gt;any client with the access token can revoke the access token and corresponding refresh token by calling &lt;/SPAN&gt;&lt;SPAN class="attrlink url author-d-42z69zz85zx9z84zz79zvz66zz71z4yz65zz67znhz79zc7fz89zz67z5z82zikmz70zz75ztz72zz83zuyz68zz122zz69z9z122zz122zv35e"&gt;&lt;A class="attrlink" href="https://www.dropbox.com/developers/documentation/http/documentation#auth-token-revoke" target="_blank" rel="noreferrer nofollow noopener" data-target-href="https://www.dropbox.com/developers/documentation/http/documentation#auth-token-revoke"&gt;/2/auth/token/revoke&lt;/A&gt;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN class="attrlink url author-d-42z69zz85zx9z84zz79zvz66zz71z4yz65zz67znhz79zc7fz89zz67z5z82zikmz70zz75ztz72zz83zuyz68zz122zz69z9z122zz122zv35e"&gt;&lt;A class="attrlink" href="https://help.github.com/en/github/administering-a-repository/about-token-scanning" target="_blank" rel="noreferrer nofollow noopener" data-target-href="https://help.github.com/en/github/administering-a-repository/about-token-scanning"&gt;the GitHub-Dropbox token scanning partnership&lt;/A&gt;&lt;/SPAN&gt;&lt;SPAN class=" author-d-42z69zz85zx9z84zz79zvz66zz71z4yz65zz67znhz79zc7fz89zz67z5z82zikmz70zz75ztz72zz83zuyz68zz122zz69z9z122zz122zv35e"&gt; can revoke access/refresh tokens found publicly posted on GitHub&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN class=" author-d-42z69zz85zx9z84zz79zvz66zz71z4yz65zz67znhz79zc7fz89zz67z5z82zikmz70zz75ztz72zz83zuyz68zz122zz69z9z122zz122zv35e"&gt;if the app uses the&lt;/SPAN&gt; &lt;SPAN class=" author-d-42z69zz85zx9z84zz79zvz66zz71z4yz65zz67znhz79zc7fz89zz67z5z82zikmz70zz75ztz72zz83zuyz68zz122zz69z9z122zz122zv35e h-quot"&gt;"app&lt;/SPAN&gt;&lt;SPAN class=" author-d-42z69zz85zx9z84zz79zvz66zz71z4yz65zz67znhz79zc7fz89zz67z5z82zikmz70zz75ztz72zz83zuyz68zz122zz69z9z122zz122zv35e"&gt; folder" permission, the access/refresh token can effectively be disabled by deleting the app folder itself in the Dropbox account, via the Dropbox website or any client&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN class=" author-d-42z69zz85zx9z84zz79zvz66zz71z4yz65zz67znhz79zc7fz89zz67z5z82zikmz70zz75ztz72zz83zuyz68zz122zz69z9z122zz122zv35e"&gt;the app can be disabled&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN class=" author-d-42z69zz85zx9z84zz79zvz66zz71z4yz65zz67znhz79zc7fz89zz67z5z82zikmz70zz75ztz72zz83zuyz68zz122zz69z9z122zz122zv35e"&gt;the account that owns the app can be disabled&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;SPAN class=" author-d-42z69zz85zx9z84zz79zvz66zz71z4yz65zz67znhz79zc7fz89zz67z5z82zikmz70zz75ztz72zz83zuyz68zz122zz69z9z122zz122zv35e"&gt;the connected account can be disabled&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN class=" author-d-42z69zz85zx9z84zz79zvz66zz71z4yz65zz67znhz79zc7fz89zz67z5z82zikmz70zz75ztz72zz83zuyz68zz122zz69z9z122zz122zv35e"&gt;If something isn't working as expected though, please feel free to share the details (e.g., the steps and code to reproduce the issue, and the unexpected error/output) so we can look into it.&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 15 Feb 2021 16:10:40 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Oauth2-code-short-lived-how-to-implement-correctly-from-B2B/m-p/496585#M24741</guid>
      <dc:creator>Greg-DB</dc:creator>
      <dc:date>2021-02-15T16:10:40Z</dc:date>
    </item>
  </channel>
</rss>

