cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community
English
Announcements
What’s new: end-to-end encryption, Replay and Dash updates. Find out more about these updates, new features and more here.

Discuss Dropbox Developer & API

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Re: PKCE vs Tokenbearer in LUA

Labels:

PKCE vs Tokenbearer in LUA

Loky31
Explorer | Level 3
‎11-15-2021 08:37 AM

Hello all,

 

I'm currently willing to use dropbox for uploading and downloading from an android app, in LUA language.

 

I gave a try using the token generated on the app page in dropbox console interface and it works quite well.

Then come the troubles 🙂

From what I read, I should implement PKCE to get token for the different terminals that use the app. That will avoid to have the token in "clear" in the binaries. Right?

 

From that I have two questions: 

Is that a good practice or something to be absolutely done?

 

The second one, is someone has already performed that in LUA language? 

I don't know how do it :s

Labels:
  • 0 Likes
  • 4 Replies
  • 567 Views
0 Likes
4 Replies 4

Greg-DB
Dropbox Staff
‎11-15-2021 12:19 PM

Dropbox doesn't have any official resources for Lua in particular, but perhaps someone else on the forum has something they can share.

 

As for the functionality itself, note that every Dropbox user API access token identifies one specific app-account pair, and allows access to that account to the extent allowed by the app's permissions as authorized by the user. So, the access token you generated on the App Console is for that app and your account in particular. In order to allow arbitrary end-users to connect the app to their own accounts, you should implement the OAuth flow in your app. That way, the app gets an access token for each end-user. You can find more information in the OAuth Guide and authorization documentation. For client-side apps, the PKCE OAuth flow in particular is the best option.

 

You should not embed and distribute your own access token (or refresh token) in a client-side app, as that would enable anyone with the app to get the access token and use it to access your own account. Even if you attempt to obfuscate the token(s) in the app's binary, client-side apps can't keep secrets secure, so you could only make it more difficult but not impossible for someone to extract the token(s).

0 Likes

Loky31
Explorer | Level 3
‎11-16-2021 01:43 AM

thanks Greg-DB.

 

That's clarify quite a lot the topic 🙂

Still have to find someone who has done that in LUA, or a LUA library that helps with that. As of today I understand how it works but I'm not really able to implement it from scratch.

 

Anyway, thanks for the help 🙂

 

0 Likes

Здравко
Legendary | Level 20
‎11-16-2021 04:51 AM
@Loky31 wrote:

..., or a LUA library that helps with that. ...

Hi @Loky31,

Doesn't 'lua-http' work for you? It's a http client and server together, so has to be quite easy to implement Dropbox connection and OAuth flow too. If it doesn't fit your needs may be next would be implementing really from scratch using 'luasocket'.

Hope this gives some ideas.

0 Likes

Loky31
Explorer | Level 3
‎11-16-2021 05:46 AM

Many thanks, I will dig into it 🙂

 

0 Likes
Need more support?