<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: codeVerifier not initialized in dbx.auth.getAccessTokenFromCode in Dropbox API Support &amp; Feedback</title>
    <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/codeVerifier-not-initialized-in-dbx-auth-getAccessTokenFromCode/m-p/754609#M33038</link>
    <description>&lt;P&gt;Thank you! This indeed fixed my problem! &lt;img class="lia-deferred-image lia-image-emoji" src="https://www.dropboxforum.com/html/@FBF7D2AB59A0D6E861EBF6A36F93B7E2/emoticons/1f642.png" alt=":slightly_smiling_face:" title=":slightly_smiling_face:" /&gt;&lt;/P&gt;</description>
    <pubDate>Sun, 03 Mar 2024 11:05:09 GMT</pubDate>
    <dc:creator>SosiOne</dc:creator>
    <dc:date>2024-03-03T11:05:09Z</dc:date>
    <item>
      <title>codeVerifier not initialized in dbx.auth.getAccessTokenFromCode</title>
      <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/codeVerifier-not-initialized-in-dbx-auth-getAccessTokenFromCode/m-p/754011#M33021</link>
      <description>&lt;P&gt;Hi!&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I am setting up Dropbox OAuth in an Electron app, and I got the part with generating a redirect URL, opening it in a browser window and letting the user log in working. I can then successfully listen for the redict, but when attempting to get the access token:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;const dbx = new Dropbox({ clientId: CLIENT_ID, fetch: fetch });&lt;BR /&gt;const tokenResult = await dbx.auth.getAccessTokenFromCode(REDIRECT_URI, code);&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I get the following error:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Error: You must use PKCE when generating the authorization URL to not include a client secret&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Now, I use the option usePKCE in getAuthenticationUrl, so that should not be an issue. But if I look at where the error comes from, there is a check:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;if (!this.codeVerifier) {&lt;BR /&gt;throw new Error('You must use PKCE when generating the authorization URL to not include a client secret');&lt;BR /&gt;}&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;so I suppose that something is not set up correctly here.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Can you give some advice? Thanks!&lt;/P&gt;</description>
      <pubDate>Wed, 28 Feb 2024 21:44:21 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/codeVerifier-not-initialized-in-dbx-auth-getAccessTokenFromCode/m-p/754011#M33021</guid>
      <dc:creator>SosiOne</dc:creator>
      <dc:date>2024-02-28T21:44:21Z</dc:date>
    </item>
    <item>
      <title>Re: codeVerifier not initialized in dbx.auth.getAccessTokenFromCode</title>
      <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/codeVerifier-not-initialized-in-dbx-auth-getAccessTokenFromCode/m-p/754036#M33022</link>
      <description>&lt;BLOCKQUOTE&gt;&lt;HR /&gt;&lt;a href="https://www.dropboxforum.com/t5/user/viewprofilepage/user-id/1809017"&gt;@SosiOne&lt;/a&gt;&amp;nbsp;wrote:&lt;BR /&gt;&lt;P&gt;... But if I look at where the error comes from, there is a check:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;if (!this.codeVerifier) {&lt;BR /&gt;throw new Error('You must use PKCE when generating the authorization URL to not include a client secret');&lt;BR /&gt;}&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;so I suppose that something is not set up correctly here.&lt;/P&gt;&lt;P&gt;...&lt;/P&gt;&lt;HR /&gt;&lt;/BLOCKQUOTE&gt;&lt;P&gt;Hi &lt;a href="https://www.dropboxforum.com/t5/user/viewprofilepage/user-id/1809017"&gt;@SosiOne&lt;/a&gt;,&lt;/P&gt;&lt;P&gt;Yes, exactly - there is something wrong. &lt;img class="lia-deferred-image lia-image-emoji" src="https://www.dropboxforum.com/html/@FBF7D2AB59A0D6E861EBF6A36F93B7E2/emoticons/1f642.png" alt=":slightly_smiling_face:" title=":slightly_smiling_face:" /&gt; You are probably unaware how PKCE&amp;nbsp; works. Key moment is to avoid a "man in the middle" during authorization. That's why pair of values are generated - code challenge and code verifier. They are passed during first and second step of the process. Only you (your application actually) is aware about values. In such a way the "man in the middle" (potential attacker) cannot stеal the authorization (possible stealed code is unusable, as in your case). The state should be kept during the process, so the values don't get lost, but you're using new object on the second step - for sure your codeVerifier is lost now (it's clear). Probably you don't understand that you have tried to impersonate yourself as attacker unintentionally (even the impersonation is incomplete and that's why consistency check catch it). Even if you pass that check the server will stop you - the value wouldn't match.&lt;/P&gt;&lt;P&gt;Restructure your code, so the client object stay from the start to the end of OAuth flow and use the same object in both steps. &lt;img class="lia-deferred-image lia-image-emoji" src="https://www.dropboxforum.com/html/@41457EF40051AFF130FDBFE21B496926/emoticons/1f609.png" alt=":winking_face:" title=":winking_face:" /&gt;&lt;/P&gt;&lt;P&gt;Hope this helps.&lt;/P&gt;</description>
      <pubDate>Thu, 29 Feb 2024 00:26:42 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/codeVerifier-not-initialized-in-dbx-auth-getAccessTokenFromCode/m-p/754036#M33022</guid>
      <dc:creator>Здравко</dc:creator>
      <dc:date>2024-02-29T00:26:42Z</dc:date>
    </item>
    <item>
      <title>Re: codeVerifier not initialized in dbx.auth.getAccessTokenFromCode</title>
      <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/codeVerifier-not-initialized-in-dbx-auth-getAccessTokenFromCode/m-p/754145#M33026</link>
      <description>&lt;P&gt;&lt;a href="https://www.dropboxforum.com/t5/user/viewprofilepage/user-id/1809017"&gt;@SosiOne&lt;/a&gt;&amp;nbsp;Здравко is correct; that codeVerifier state needs to be persisted through the flow. You can find examples here:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;A href="https://github.com/dropbox/dropbox-sdk-js/blob/main/examples/javascript/PKCE-backend/code_flow_example.js" target="_blank"&gt;https://github.com/dropbox/dropbox-sdk-js/blob/main/examples/javascript/PKCE-backend/code_flow_example.js&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://github.com/dropbox/dropbox-sdk-js/blob/main/examples/javascript/pkce-browser/index.html" target="_blank"&gt;https://github.com/dropbox/dropbox-sdk-js/blob/main/examples/javascript/pkce-browser/index.html&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;</description>
      <pubDate>Thu, 29 Feb 2024 13:43:17 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/codeVerifier-not-initialized-in-dbx-auth-getAccessTokenFromCode/m-p/754145#M33026</guid>
      <dc:creator>Greg-DB</dc:creator>
      <dc:date>2024-02-29T13:43:17Z</dc:date>
    </item>
    <item>
      <title>Re: codeVerifier not initialized in dbx.auth.getAccessTokenFromCode</title>
      <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/codeVerifier-not-initialized-in-dbx-auth-getAccessTokenFromCode/m-p/754609#M33038</link>
      <description>&lt;P&gt;Thank you! This indeed fixed my problem! &lt;img class="lia-deferred-image lia-image-emoji" src="https://www.dropboxforum.com/html/@FBF7D2AB59A0D6E861EBF6A36F93B7E2/emoticons/1f642.png" alt=":slightly_smiling_face:" title=":slightly_smiling_face:" /&gt;&lt;/P&gt;</description>
      <pubDate>Sun, 03 Mar 2024 11:05:09 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/codeVerifier-not-initialized-in-dbx-auth-getAccessTokenFromCode/m-p/754609#M33038</guid>
      <dc:creator>SosiOne</dc:creator>
      <dc:date>2024-03-03T11:05:09Z</dc:date>
    </item>
    <item>
      <title>Re: codeVerifier not initialized in dbx.auth.getAccessTokenFromCode</title>
      <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/codeVerifier-not-initialized-in-dbx-auth-getAccessTokenFromCode/m-p/754610#M33039</link>
      <description>&lt;P&gt;Thanks for the examples!&lt;/P&gt;</description>
      <pubDate>Sun, 03 Mar 2024 11:06:03 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/codeVerifier-not-initialized-in-dbx-auth-getAccessTokenFromCode/m-p/754610#M33039</guid>
      <dc:creator>SosiOne</dc:creator>
      <dc:date>2024-03-03T11:06:03Z</dc:date>
    </item>
  </channel>
</rss>

