<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: OAuth2 empty scope does not behave correctly in Dropbox API Support &amp; Feedback</title>
    <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/OAuth2-empty-scope-does-not-behave-correctly/m-p/493817#M24665</link>
    <description>&lt;P&gt;I don't have an update on this quite yet, but I'll follow up here once I do.&lt;/P&gt;</description>
    <pubDate>Thu, 04 Feb 2021 22:05:10 GMT</pubDate>
    <dc:creator>Greg-DB</dc:creator>
    <dc:date>2021-02-04T22:05:10Z</dc:date>
    <item>
      <title>OAuth2 empty scope does not behave correctly</title>
      <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/OAuth2-empty-scope-does-not-behave-correctly/m-p/491193#M24580</link>
      <description>&lt;P&gt;According to the&amp;nbsp;&lt;A href="https://www.dropbox.com/developers/documentation/http/documentation#authorization" target="_self"&gt;OAuth2 Authorization documentation&lt;/A&gt;&amp;nbsp;, the `scope` is a nullable String:&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;scope&lt;/STRONG&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;I&gt;String?&lt;/I&gt;&lt;SPAN&gt;&amp;nbsp;This parameter allows your user to authorize a subset of the scopes selected in the&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://www.dropbox.com/developers/apps" target="_blank" rel="noopener"&gt;App Console&lt;/A&gt;&lt;SPAN&gt;. Multiple scopes are separated by a space. If this parameter is omitted, the authorization page will request all scopes selected on the Permissions tab. Read about scopes in the&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://www.dropbox.com/lp/developers/oauth-guide" target="_blank" rel="noopener"&gt;OAuth Guide&lt;/A&gt;&lt;SPAN&gt;.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;This matches &lt;A href="https://tools.ietf.org/html/rfc6749#section-3.3" target="_self"&gt;RFC6749 section 3.3&lt;/A&gt; which states:&lt;/P&gt;
&lt;PRE&gt;   If the client omits the scope parameter when requesting
   authorization, the authorization server MUST either process the
   request using a pre-defined default value or fail the request
   indicating an invalid scope.  The authorization server SHOULD
   document its scope requirements and default value (if defined).&lt;/PRE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;However, the Dropbox API treats the nullable state incorrectly:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;If the scope is provided, but is &lt;EM&gt;empty&lt;/EM&gt;, then a 400 error message is displayed; but&lt;/LI&gt;
&lt;LI&gt;if the scope is missing entirely then the default value is provided.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;A href="https://tools.ietf.org/html/rfc6749#section-3.1" target="_self"&gt;Section 3.1&lt;/A&gt; of the RFC states:&lt;/P&gt;
&lt;PRE&gt;   Parameters sent without a value MUST be treated as if they were
   omitted from the request.  The authorization server MUST ignore
   unrecognized request parameters.  Request and response parameters
   MUST NOT be included more than once.&lt;/PRE&gt;
&lt;P&gt;It seems that the Dropbox authorization endpoint is mis-treating the value, causing the 400 error. Per the specification, a parameter with an empty value&amp;nbsp;&lt;STRONG&gt;MUST&lt;/STRONG&gt; be treated in the same way as an omitted parameter.&lt;/P&gt;</description>
      <pubDate>Thu, 28 Jan 2021 10:15:40 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/OAuth2-empty-scope-does-not-behave-correctly/m-p/491193#M24580</guid>
      <dc:creator>andrewnicols</dc:creator>
      <dc:date>2021-01-28T10:15:40Z</dc:date>
    </item>
    <item>
      <title>Re: OAuth2 empty scope does not behave correctly</title>
      <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/OAuth2-empty-scope-does-not-behave-correctly/m-p/491406#M24588</link>
      <description>&lt;P&gt;Thanks for the detailed writeup! That's very helpful. I'll ask the team to update the implementation to treat an empty scope parameter the same way as a missing scope parameter.&lt;/P&gt;</description>
      <pubDate>Thu, 28 Jan 2021 16:43:32 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/OAuth2-empty-scope-does-not-behave-correctly/m-p/491406#M24588</guid>
      <dc:creator>Greg-DB</dc:creator>
      <dc:date>2021-01-28T16:43:32Z</dc:date>
    </item>
    <item>
      <title>Re: OAuth2 empty scope does not behave correctly</title>
      <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/OAuth2-empty-scope-does-not-behave-correctly/m-p/491544#M24593</link>
      <description>&lt;P&gt;Thanks for the update&amp;nbsp;&lt;a href="https://www.dropboxforum.com/t5/user/viewprofilepage/user-id/10"&gt;@Greg-DB&lt;/a&gt;!&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I look forward to the change. I'll mark this as accepted once there's a response as to if/when that will be implemented.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Cheers&lt;/P&gt;</description>
      <pubDate>Fri, 29 Jan 2021 00:51:16 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/OAuth2-empty-scope-does-not-behave-correctly/m-p/491544#M24593</guid>
      <dc:creator>andrewnicols</dc:creator>
      <dc:date>2021-01-29T00:51:16Z</dc:date>
    </item>
    <item>
      <title>Re: OAuth2 empty scope does not behave correctly</title>
      <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/OAuth2-empty-scope-does-not-behave-correctly/m-p/493446#M24657</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://www.dropboxforum.com/t5/user/viewprofilepage/user-id/10"&gt;@Greg-DB&lt;/a&gt;,&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I was just wondering whether there's any update from the relevant team on the state of this and an ETA for a fix?&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Thanks,&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Andrew&lt;/P&gt;</description>
      <pubDate>Thu, 04 Feb 2021 01:24:58 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/OAuth2-empty-scope-does-not-behave-correctly/m-p/493446#M24657</guid>
      <dc:creator>andrewnicols</dc:creator>
      <dc:date>2021-02-04T01:24:58Z</dc:date>
    </item>
    <item>
      <title>Re: OAuth2 empty scope does not behave correctly</title>
      <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/OAuth2-empty-scope-does-not-behave-correctly/m-p/493817#M24665</link>
      <description>&lt;P&gt;I don't have an update on this quite yet, but I'll follow up here once I do.&lt;/P&gt;</description>
      <pubDate>Thu, 04 Feb 2021 22:05:10 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/OAuth2-empty-scope-does-not-behave-correctly/m-p/493817#M24665</guid>
      <dc:creator>Greg-DB</dc:creator>
      <dc:date>2021-02-04T22:05:10Z</dc:date>
    </item>
    <item>
      <title>Re: OAuth2 empty scope does not behave correctly</title>
      <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/OAuth2-empty-scope-does-not-behave-correctly/m-p/500868#M24831</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://www.dropboxforum.com/t5/user/viewprofilepage/user-id/10"&gt;@Greg-DB&lt;/a&gt;,&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I'm just wondering whether you have an update to this issue yet? It's been over a month now.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Thanks,&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Andrew&lt;/P&gt;</description>
      <pubDate>Tue, 02 Mar 2021 01:30:18 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/OAuth2-empty-scope-does-not-behave-correctly/m-p/500868#M24831</guid>
      <dc:creator>andrewnicols</dc:creator>
      <dc:date>2021-03-02T01:30:18Z</dc:date>
    </item>
    <item>
      <title>Re: OAuth2 empty scope does not behave correctly</title>
      <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/OAuth2-empty-scope-does-not-behave-correctly/m-p/501051#M24835</link>
      <description>&lt;P&gt;&lt;a href="https://www.dropboxforum.com/t5/user/viewprofilepage/user-id/1403455"&gt;@andrewnicols&lt;/a&gt;&amp;nbsp;This is still open with the team, but I don't any news on this yet. I'll let you know when I do.&lt;/P&gt;</description>
      <pubDate>Tue, 02 Mar 2021 14:42:26 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/OAuth2-empty-scope-does-not-behave-correctly/m-p/501051#M24835</guid>
      <dc:creator>Greg-DB</dc:creator>
      <dc:date>2021-03-02T14:42:26Z</dc:date>
    </item>
    <item>
      <title>Re: OAuth2 empty scope does not behave correctly</title>
      <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/OAuth2-empty-scope-does-not-behave-correctly/m-p/505710#M25008</link>
      <description>&lt;P&gt;&lt;a href="https://www.dropboxforum.com/t5/user/viewprofilepage/user-id/1403455"&gt;@andrewnicols&lt;/a&gt;&amp;nbsp;The team has made this change and it is rolling out now.&amp;nbsp;Hope this helps!&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Wed, 17 Mar 2021 19:02:45 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/OAuth2-empty-scope-does-not-behave-correctly/m-p/505710#M25008</guid>
      <dc:creator>Greg-DB</dc:creator>
      <dc:date>2021-03-17T19:02:45Z</dc:date>
    </item>
    <item>
      <title>Re: OAuth2 empty scope does not behave correctly</title>
      <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/OAuth2-empty-scope-does-not-behave-correctly/m-p/505817#M25013</link>
      <description>&lt;P&gt;Thanks Greg,&lt;/P&gt;&lt;P&gt;Much appreciated!&lt;/P&gt;</description>
      <pubDate>Thu, 18 Mar 2021 01:30:01 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/OAuth2-empty-scope-does-not-behave-correctly/m-p/505817#M25013</guid>
      <dc:creator>andrewnicols</dc:creator>
      <dc:date>2021-03-18T01:30:01Z</dc:date>
    </item>
  </channel>
</rss>

