cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Want to learn some quick and useful tips to make your day easier? Check out how Calvin uses Replay to get feedback from other teams at Dropbox here.

Discuss Dropbox Developer & API

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to get refresh token without User interaction

How to get refresh token without User interaction

makrand kulkarni
Explorer | Level 4

Hello Team,

As Drop Box Access Token is invalid after 4 hr. I want to implement refresh token mechanism at Backend Java code without User Interaction i.e fully automated. so I have a requirement to get refresh token without User Interaction based on two parameter on UI

1 . App Key

2. Access Token Generated

Please share any link or documentation for same any Java code written ?

17 Replies 17

Greg-DB
Dropbox Staff

@makrand kulkarni Здравко is correct. Please refer to the documentation they linked to for information on how this is passed on the redirect, and the example they linked to for a sample of how to handle this with the Java SDK.

makrand kulkarni
Explorer | Level 4

@Greg-DB 

Can you share more example in Spring boot for implementation of refresh token. Previous example shared by @Здравко  was partially help full .

I am trying to figure out more that  "is 1 drop box  application be used across org ? "

Greg-DB
Dropbox Staff

@makrand kulkarni Dropbox doesn't offer a Spring Boot sample in particular, but I'll pass this along as a feature request. I can't promise if or when that might be implemented though.

makrand kulkarni
Explorer | Level 4

@Greg-DB 

 

I am following Drop box documentation

 

https://www.dropbox.com/developers/documentation/http/documentation#oauth2-authorize

 

I am not able to get the "Code"  embedded in Redirect URI. Sample request is

 

GET Method

 

https://www.dropbox.com/oauth2/authorize?client_id=xxxxxx&token_access_type=offline&response_type=co...

 

In response getting Html Code /Website in Postman

 

As Per Documentation it should provide me  Query response with Code

 

makrandkulkarni_0-1655966136680.png

 

Any help will be appreciated.

Thanks

 

 

Здравко
Legendary | Level 20

Hi @makrand kulkarni,

As can be seen on documentation (and on your screenshot) "Because /oauth2/authorize is a web site, there is no direct return value". What is a web site? 🧐 Ooo... it's HTML. 😉 Read more carefully.

Greg-DB
Dropbox Staff

@makrand kulkarni As Здравко indicated, /oauth2/authorize is a web page, not an API call, so you should not be accessing it programmatically. You should send the user there in their own system web browser to interactively click the button to authorize your app to access their account. If you specify a redirect URI, the user will be redirected to it upon authorizing the app and the app can parse that resulting redirected URI to retrieve the authorization code.

tkozuch
New member | Level 2

Hi Greg.

Somewhat this is still confusing for me.

I was following this example: 
https://github.com/dropbox/dropbox-sdk-python/blob/main/example/oauth/commandline-oauth-scopes.py#L8...
and this guide:
https://developers.dropbox.com/oauth-guide

From your comment:


@Greg-DB wrote:

If your app needs to maintain long-term access without the user manually re-authorizing it repeatedly, the app should request "offline" access so that it gets a refresh token. The refresh token doesn't expire and can be stored and used repeatedly to get new short-lived access tokens whenever needed, without the user manually reauthorizing the app.

and from the DropBox Oauth Guide:



When using refresh tokens, your call to the /oauth2/token endpoint with the grant_type of authorization_code will return a short-lived access token and a refresh token, which should be securely stored.

so why does this endpoint return a new refresh token?

but as I understand - your comment is more correct - the Refresh Token is permanent and if I perform a "manual flow" like here:

https://github.com/dropbox/dropbox-sdk-python/blob/main/example/oauth/commandline-oauth-scopes.py#L1...

and save the refresh token, I should be able to use it forever?

let's say I perform the above manual and initial OAuth flow (DropboxOAuth2FlowNoRedirect - in Python SDK), and save the refresh token and access token somewhere.

then, let's say I have a task - a script that re-runs periodically and needs to call DropBox API without user interaction - I make it read the previously saved Access and Request tokens, and make a call like this: 

https://github.com/dropbox/dropbox-sdk-python/blob/main/example/oauth/commandline-oauth-scopes.py#L7...

?

does this mean, that after the above Dropbox client operation, I don't get a new Access Token, but the one which I saved just becomes valid again?

both the AccessToken and Refresh Token stay valid and the same all the time?

AccessToken can even become expired for a long time, and you only need Refresh Token to make a new Dropbox API connection at any time?

Здравко
Legendary | Level 20

Hi @tkozuch,

As seems you haven't read entire documentation. /oauth2/token endpoint can be used for different things including initial token receiving from access code (note here code, no token) where you get refresh token and access token on one side and consecutive usage to get access token from refresh token (something the can be used repeatedly; the first case cannot - the code is for single time usage). For some more details in deep take a look here. That's for clarity only - when using SDK you don't need to call endpoints directly. So:


@tkozuch wrote:

...
so why does this endpoint return a new refresh token?
...


When you start OAuth flow from "zero" (i.e. new code) you get new refresh token. You don't need to repeat it! You only need to do it once on linking time and after that proceed without further user interaction - then only new access token comes back. Actually the SDK takes care for this, you can ignore this part completely in your code.

 


@tkozuch wrote:

...
and save the refresh token, I should be able to use it forever?
...


Yes, or till revoke either from your application or from user side.

 


@tkozuch wrote:

...
both the AccessToken and Refresh Token stay valid and the same all the time?
...


Refresh token stay valid indefinitely while access token expire in time noted on receiving (typical 4 hours or so).

 


@tkozuch wrote:

...
AccessToken can even become expired for a long time, and you only need Refresh Token to make a new Dropbox API connection at any time?


Almost... Once the existing access token expires, you need new access token for regular API work - that's what the refresh process is for. As I mentioned SDK takes care for this internal. To "refresh" the token you need application key at least and in some cases application secret (when non PKCE OAuth flow is used).

Hope this sheds additional light.

Need more support?
Who's talking

Top contributors to this post

  • User avatar
    Здравко Legendary | Level 20
  • User avatar
    tkozuch New member | Level 2
  • User avatar
    Greg-DB Dropbox Staff
  • User avatar
    makrand kulkarni Explorer | Level 4
What do Dropbox user levels mean?