cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Want to learn some quick and useful tips to make your day easier? Check out how Calvin uses Replay to get feedback from other teams at Dropbox here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Re: Dropbox for Business API Access token login process.

Dropbox for Business API Access token login process.

Simone11
Explorer | Level 4
Go to solution

Hi There.

I have an iOS apllication written in Objective-C. I have successfully integrated Dropbox API in my app and I can upload and download data from dropox even using the Access Token for it. 

Short code sample to dowload data as per the document as follows:

 [[client.filesRoutes listFolder:dbPathToIpad]
                     setResponseBlock:^(DBFILESListFolderResult *response, DBFILESListFolderError *routeError, DBRequestError *networkError) {
                         NSLog(@"response__:%@",response);
                         if (response) {......
}

Now, I have shifted my account to dropbox for business and have few team members in my team. Can I get the process to access folders in each team members account using Access Token of Dropbox for Business API. I am the admin of the account and I have generated Access Token for Dropbox For Business and given permission to access team files.

The idea here is to bypass Auth login using Access Token generated. And the app is destributed to my team members. they should somehow access ther own account using this Access token I genrated and the specific folder structure in their account. Please let me know how is this possible since this is a requirement from my Client.

There is nothing much given to access files using Dropbox for Business API in this link: https://github.com/dropbox/dropbox-sdk-obj-c

Also, if I use this Business Access token I have created in current code of mine i get error response from dropbox as :

DropboxBadInputError[{
    ErrorContent = "Error in call to API function \"files/list_folder\": This API function operates on a single Dropbox account, but the OAuth 2 access token you provided is for an entire Dropbox Business team.  Since your API app key has team member file access permissions, you can operate on a team member's Dropbox by providing the \"Dropbox-API-Select-User\" HTTP header or \"select_user\" URL parameter to specify the exact user <https://www.dropbox.com/developers/documentation/http/teams>.";
    RequestId = 2cad3ee7906d1fed388f2146c456116d;
    StatusCode = 400;
    UserMessage = nil;
}];

Please provide me with link or any reference on how to handle this.

1 Accepted Solution

Accepted Solutions

Greg-DB
Dropbox Staff
Go to solution

If you have a Dropbox Business API access token for an app with the "team member file access" permission and want to programmatically access a specific member's account using the Dropbox Objective-C SDK, you should use the DBTeamClient userClientWithMemberId: method. That will give you a DBUserClient you can use to access the user methods, such as listFolder. (It sets the "Dropbox-API-Select-User" header mentioned in the error message you shared.)

That would look like this:

DBTeamClient *teamClient = [[DBTeamClient alloc] initWithAccessToken:ACCESS_TOKEN];
DBUserClient *userClient = [teamClient userClientWithMemberId:memberID];

[[userClient.filesRoutes listFolder:path]
 setResponseBlock...

The member ID would be the team member ID (which starts with "dbmid:"). You can get those from membersList/membersListContinue, for instance.

Also, note that client-side applications, such as on iOS, can't keep secrets, such as access tokens, from a malicious user. For that reason, we don't recommend sharing/hard-coding access tokens in client-side applications. For example, in your described scenario, one team member could potentially extract the access token and use it to access another member's account.

View solution in original post

12 Replies 12

Greg-DB
Dropbox Staff
Go to solution

If you have a Dropbox Business API access token for an app with the "team member file access" permission and want to programmatically access a specific member's account using the Dropbox Objective-C SDK, you should use the DBTeamClient userClientWithMemberId: method. That will give you a DBUserClient you can use to access the user methods, such as listFolder. (It sets the "Dropbox-API-Select-User" header mentioned in the error message you shared.)

That would look like this:

DBTeamClient *teamClient = [[DBTeamClient alloc] initWithAccessToken:ACCESS_TOKEN];
DBUserClient *userClient = [teamClient userClientWithMemberId:memberID];

[[userClient.filesRoutes listFolder:path]
 setResponseBlock...

The member ID would be the team member ID (which starts with "dbmid:"). You can get those from membersList/membersListContinue, for instance.

Also, note that client-side applications, such as on iOS, can't keep secrets, such as access tokens, from a malicious user. For that reason, we don't recommend sharing/hard-coding access tokens in client-side applications. For example, in your described scenario, one team member could potentially extract the access token and use it to access another member's account.

Sim_one
Explorer | Level 4
Go to solution

Thanks @Greg-DB  for your inputs.

I am not clear on getting memeberID though( how to get the member id to be precise?).

Also, 1 perticular memberID give access to account of that team member correct?

But my requirement is we distribute our iOS app as enterprise within the team of our organisation. Those people are the Dropbox Team members. So, once we give them the app they should be able to login to thier account without Auth using this dropbox for Business Access token. In that case they should know thier memberID's right to access it.  Is there any other way members get their memberID other than how you specified above so that they can manually enter the memberID to access their account using access token?  because I believe it is not feasible to give users option in the app to select memberID.

I hope you understand my  case.

Any suggestion to go ahead for my this scenario??

Greg-DB
Dropbox Staff
Go to solution

You can list all of the members of a team using membersList/membersListContinue. The result will contain each member's team member ID. You can also look up a specific member by email address or external ID using membersGetInfo.

A team member ID itself only identifies a particular member's account on a team. It doesn't itself give access to that member's account. You would need an access token to access an account. An access token for a "Dropbox Business API" app, such as you are using based on the output you shared previously, is for the entire Business team. 

Using a Dropbox Business API access token for an app with the "team member file access" permission, you can specify the particular team member account you want to access in particular by specifying the team member ID as in the code in my previous comment. (This is the "member file access" feature documented here.)

End-users generally don't know, and don't have a way in the Dropbox UI, to access their own team member ID. This is something the Business API app should do for them (for instance, using the methods I described at the beginning of this message). 

Anyway, since a Dropbox Business API access token enables access to the entire team, we don't recommend distributing it to every team member in client-side applications. It is generally meant to be used server-side, where it can be protected.

Simone11
Explorer | Level 4
Go to solution

Hi @Greg-DB ,

So that means using Access token for business admins account and memberID I should be able to access that members folders/directory structure similar to how I do using personal normal access token with same methods(listfolders) correct? Also, I should be able to download and update data/files to these members folders I Specify in members account right?

Also one out of the context question. Is there a way Team Admin can hide/Make other team memebers not see who all are there in their Team? I just dont want other team member to see who are there in their team when they login to their DB account on web.

Greg-DB
Dropbox Staff
Go to solution

Yes, whether you get a DBUserClient directly from an access token for a specific account, or from an access token for a Business team and then select the team member account as discussed above, the methods for interacting with an account (e.g., to list folders, etc.) are the same.

You can hide certain team members from the directory as covered in the help center here. Note that this won't remove those team members from the member list returned by the API itself, but you can have your app omit those members when using the API result based on TeamMemberProfile.isDirectoryRestricted

Simone11
Explorer | Level 4
Go to solution

Hi @Greg-DB ,

Many Thanks for helping me out to understand the process. I have implemented your suggestions and it works as expected.

 

Regarding hiding team members yes, I followed the steps and the team members are hidden from the other team members.

The only issue is when the team member clicks on the file they can see 1st 3-4 team members list with profile picture and user name. As show in screenshot below top right corner. Is there any way to hide this also?

Screenshot 2019-05-07 at 11.50.18 AM.png

Greg-DB
Dropbox Staff
Go to solution

I can only really help with the Dropbox API itself, so for Business/web site questions like this, please contact Business support.

zainulabideen
Explorer | Level 4
Go to solution

I have a similar question, But my use case is a bit different. let me explain what I am trying to do.

Once the admin has authorized the application and generated the access token. then I want my users/members to log in to their account in my application so that they can only access their data. I am using JavaScript SDK and I know there's a method `actAsUser(userId)` present in SDK for this. What I am doing is, I ask the member for their email, once they enter their email, I look up for the id using the teamMembersGetInfo  method using that email. I pass the Id to 'actAsUser' method.

But there's an issue with this approach. Email id is a public thing any of the team members can put other member's email and they can act as that member.

for example: my email is zain@xyz.com. so any team member can put my email there and they can act as zain@xyz.com. 

 

So my question is, is there some way using which I can authenticate the users?

 

Greg-DB
Dropbox Staff
Go to solution

@zainulabideen No, authentication happens before the access token is retrieved, so if the client already has the access token, there isn't any further Dropbox account authentication. If you want to use the Dropbox Business API like this to connect to the entire team but let any arbitrary member use the integration, you'll need to enforce some additional layer of authentication in your own app's logic to enforce whatever access control you need. And, as above, you also shouldn't expose the access token to the client of any untrusted member.

Instead, if you want to authenticate each Dropbox user instead, you may prefer to use the Dropbox API, (e.g., with the Full Dropbox or App Folder permission) where each user authenticates and authorizes the app to access their own account only.

Need more support?