<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Using refresh token without client secret in Dropbox API Support &amp; Feedback</title>
    <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Using-refresh-token-without-client-secret/m-p/584552#M27214</link>
    <description>&lt;P&gt;Thanks for the quick response. Unfortunately this leads to an `invalid_request` error (400):&lt;BR /&gt;```&lt;/P&gt;&lt;P&gt;The request parameters do not match any of the supported authorization flows. Please refer to the API documentation for the correct parameters.&lt;/P&gt;&lt;P&gt;```&lt;/P&gt;</description>
    <pubDate>Fri, 18 Mar 2022 16:42:31 GMT</pubDate>
    <dc:creator>johannesjo</dc:creator>
    <dc:date>2022-03-18T16:42:31Z</dc:date>
    <item>
      <title>Using refresh token without client secret</title>
      <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Using-refresh-token-without-client-secret/m-p/584036#M27197</link>
      <description>&lt;P&gt;I am using the PKCE flow for my electron based desktop &amp;amp; web app&amp;nbsp;&lt;A href="https://github.com/johannesjo/super-productivity" target="_self"&gt;app&lt;/A&gt;&amp;nbsp;and am trying to migrate for the new short lived tokens everywhere flow. I am able to get a refresh token by providing&lt;/P&gt;
&lt;PRE&gt;&lt;SPAN&gt;token_access_type=offline&lt;/SPAN&gt;&lt;/PRE&gt;
&lt;P&gt;Now I am wondering how I can request a new accessToken without exposing my APP_SECRET (&lt;A href="https://www.dropbox.com/developers/documentation/http/documentation#oauth2-token" target="_blank" rel="noopener"&gt;https://www.dropbox.com/developers/documentation/http/documentation#oauth2-token&lt;/A&gt;).&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;
&lt;P&gt;Is there a way to do so?&lt;/P&gt;</description>
      <pubDate>Wed, 16 Mar 2022 20:07:10 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Using-refresh-token-without-client-secret/m-p/584036#M27197</guid>
      <dc:creator>johannesjo</dc:creator>
      <dc:date>2022-03-16T20:07:10Z</dc:date>
    </item>
    <item>
      <title>Re: Using refresh token without client secret</title>
      <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Using-refresh-token-without-client-secret/m-p/584049#M27199</link>
      <description>&lt;P&gt;Yes, the PKCE flow in particular is a version of the OAuth 2 authorization flow that doesn't require the app secret, meant for client-side apps where an app secret can't be kept secret. It does so by using a 'code_challenge' on the &lt;A href="https://www.dropbox.com/developers/documentation/http/documentation#oauth2-authorize" target="_self"&gt;/oauth2/authorize&lt;/A&gt; step and corresponding 'code_verifier' on the following &lt;A href="https://www.dropbox.com/developers/documentation/http/documentation#oauth2-token" target="_self"&gt;/oauth2/token&lt;/A&gt; step, instead of the app secret. Likewise, it does not require the app secret when performing a refresh call. You can find more information in the &lt;A href="https://developers.dropbox.com/oauth-guide" target="_self"&gt;OAuth Guide&lt;/A&gt; and &lt;A href="https://www.dropbox.com/developers/documentation/http/documentation#authorization" target="_self"&gt;authorization documentation&lt;/A&gt;.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Specifically, the &lt;A href="https://www.dropbox.com/developers/documentation/http/documentation#oauth2-token" target="_self"&gt;/oauth2/token&lt;/A&gt; request using a refresh token that was retrieved via the PKCE flow to get a new short-lived access token without using the app secret would look like this:&lt;/P&gt;
&lt;LI-CODE lang="markup"&gt;curl https://api.dropbox.com/oauth2/token \
    -d refresh_token=&amp;lt;REFRESH_TOKEN&amp;gt; \
    -d grant_type=refresh_token \
    -d client_id=&amp;lt;APP_KEY&amp;gt;&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Wed, 16 Mar 2022 20:58:45 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Using-refresh-token-without-client-secret/m-p/584049#M27199</guid>
      <dc:creator>Greg-DB</dc:creator>
      <dc:date>2022-03-16T20:58:45Z</dc:date>
    </item>
    <item>
      <title>Re: Using refresh token without client secret</title>
      <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Using-refresh-token-without-client-secret/m-p/584552#M27214</link>
      <description>&lt;P&gt;Thanks for the quick response. Unfortunately this leads to an `invalid_request` error (400):&lt;BR /&gt;```&lt;/P&gt;&lt;P&gt;The request parameters do not match any of the supported authorization flows. Please refer to the API documentation for the correct parameters.&lt;/P&gt;&lt;P&gt;```&lt;/P&gt;</description>
      <pubDate>Fri, 18 Mar 2022 16:42:31 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Using-refresh-token-without-client-secret/m-p/584552#M27214</guid>
      <dc:creator>johannesjo</dc:creator>
      <dc:date>2022-03-18T16:42:31Z</dc:date>
    </item>
    <item>
      <title>Re: Using refresh token without client secret</title>
      <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Using-refresh-token-without-client-secret/m-p/584554#M27215</link>
      <description>&lt;P&gt;Never mind! I had the wrong Content-Type header set. Seems to work fine now. Thank you very much!&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Maybe this should be added to the documentation under the examples section?&lt;/P&gt;</description>
      <pubDate>Fri, 18 Mar 2022 16:45:18 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Using-refresh-token-without-client-secret/m-p/584554#M27215</guid>
      <dc:creator>johannesjo</dc:creator>
      <dc:date>2022-03-18T16:45:18Z</dc:date>
    </item>
    <item>
      <title>Re: Using refresh token without client secret</title>
      <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Using-refresh-token-without-client-secret/m-p/584572#M27218</link>
      <description>&lt;P&gt;Thanks for following up. I'm glad to hear you got this working. &lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Yes, I've asked the team to add that example to the documentation.&lt;/P&gt;</description>
      <pubDate>Fri, 18 Mar 2022 17:33:58 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Using-refresh-token-without-client-secret/m-p/584572#M27218</guid>
      <dc:creator>Greg-DB</dc:creator>
      <dc:date>2022-03-18T17:33:58Z</dc:date>
    </item>
  </channel>
</rss>

