cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Want to learn some quick and useful tips to make your day easier? Check out how Calvin uses Replay to get feedback from other teams at Dropbox here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Re: What if I want the User to login each time

What if I want the User to login each time

sanjayssk
Helpful | Level 6
Go to solution

I don't want to keep my own user membership db and login logic for my web app. My web app is going to be only for Dropbox and I want to rely on Dropbox Login only. Otherwise, saving the access token means, I have to associate it with the Email of the user. That means, I have to have my own login system asking Email of the user first before using the access token for Dropbox. I want to avoid all that login system.

 

That means, the web app will work the following way:

1) There is no membership db or cookie so it remembers nothing about a user.

2) Every time, the user wants to access it, he clicks on a "Login to Dropbox" button.

3) Since Dropbox handles auto-login, the "Allow" screen comes up from Dropbox. Clicking on Allow starts the web app with its own folder.

 

That means, the app goes through the Oauth2 initial logic (2 steps) to get authorization code and then get access token each time.

 

Questions:

1) Is this 2-click usage acceptable behavior for a web app as per your policy? 

2) If not, is there any scheme by which I can eliminate just Step 3? Then the user just clicks the Login button and the web app starts. 

 

Thanks.

 

 

 

1 Accepted Solution

Accepted Solutions

Greg-DB
Dropbox Staff
Go to solution

This is sort of already possible. If you send the user through the app authorization flow again, they may (e.g., as long as your app's redirect URI uses https://) be automatically redirected, without having to click "Allow", if they've already authorized the app. You can find a note about this under "force_reapprove" in the documentation:

 

https://www.dropbox.com/developers/documentation/http/documentation#oauth2-authorize

 

Note that this still will return a new access token to your app though.

View solution in original post

8 Replies 8

sanjayssk
Helpful | Level 6
Go to solution
Just to clarify, I will be saving the access token in the Session only but not in any db.

Greg-DB
Dropbox Staff
Go to solution

1) Unfortunately we can't provide any absolute guarantee of your app's compliance based on a description, so you should be sure to review all the guidelines and terms before developing an app:

 

https://www.dropbox.com/developers/reference/tos
https://www.dropbox.com/developers/reference/devguide
https://www.dropbox.com/developers/reference/branding

 

2) To avoid having the user go through the Dropbox app authorization flow each time, you would need to store the access token in their session/cookies and re-use it when they return.

sanjayssk
Helpful | Level 6
Go to solution

>>To avoid having the user go through the Dropbox app authorization flow each time, you would need to store the access token in their session/cookies and re-use it when they return.<<

 

I have no problem in saving the access token in the DB against the Email. But next time when the user comes to use the App, I want Dropbox to authenticate the user, just for Login, before I use the saved access token. In other words, the user should then login to Dropbox but should not be presented with Allow dialog and should not generate another access token. Is that possible? I want to use the saved access token for a user next time only if he is authenticated by Dropbox.

 

Thanks,

Sanjay

sanjayssk
Helpful | Level 6
Go to solution
Apparently, many may want this feature. For example, here is a thread on SO that has exactly a similar question with no solution so far.
https://stackoverflow.com/questions/12275100/is-there-a-way-to-use-dropbox-for-authentication-withou...

Greg-DB
Dropbox Staff
Go to solution

This is sort of already possible. If you send the user through the app authorization flow again, they may (e.g., as long as your app's redirect URI uses https://) be automatically redirected, without having to click "Allow", if they've already authorized the app. You can find a note about this under "force_reapprove" in the documentation:

 

https://www.dropbox.com/developers/documentation/http/documentation#oauth2-authorize

 

Note that this still will return a new access token to your app though.

sanjayssk
Helpful | Level 6
Go to solution

That's exactly what I want. That means, I can just save a flag in the cookie that says it was approved once. And use it to switch on that option. Switch it off only if the user wants to switch the dropbox accounts by some other action.

 

>>Note that this still will return a new access token to your app though.

 

That's OK. Will it create a problem for Dropbox system itself to have too many access tokens generated? Or does it automatically recycle by invalidating the old one?

 

Thanks,

Sanjay

Greg-DB
Dropbox Staff
Go to solution
There isn't a limit to the number of access tokens that can be created for an app-user pair, and I'm not aware of any issues arising from creating many. Dropbox won't automatically recycle/invalidate them.

sanjayssk
Helpful | Level 6
Go to solution

Finally, I was able to test it with https and it works perfectly. In fact, if I follow this approach, it works automatically, asking for login only once and then navigating automatically. This is great.

 

Thanks,

Sanjay

Need more support?