Discuss Dropbox Developer & API
I am the developer of the Drupal module Backup & migrate Dropbox that extends the "Backup and migrate" module to store backups on Dropbox. So this module:
I am developing a new version that should use the newer oauth2 way of obtaining authorization. Given the above, it seems that the PKCE flow is the way to go, but is this possible? I arrive at getting a user copied and pasted (short lived) acces code, use that to get a 1st (short lived) bearer token and (presumably long lived) refresh token, but after the access code and bearer token have expired and I use the refresh token to get a new bearer token I get the error:
Request sent:
https://api.dropbox.com/oauth2/token
body = refresh_token=8p************************************************************eI
&grant_type=refresh_token
&code_verifier=wE***************************************pU
&client_id=2b***********6x
Response received (invalid json as all \ were removed to improve readability):
body: {"error_description": "unknown field "code_verifier"", "error": "invalid_request"}"
response code: 400
Is what I want possible? If so, how? Or what is the way to go?
Thanks for any help on this.
While the PKCE flow is generally meant for client-side apps (and server-side apps would generally use the code flow) given the constraints in this case, using the PKCE flow seems reasonable and should work.
The issue you're running in to here is that you're calling /oauth2/token to perform 'grant_type=refresh_token' but are supplying the 'code_verifier' parameter. The 'code_verifier' parameter should only be provided for the initial 'grant_type=authorization_code'.
That is, the flow should look like this:
Also, to confirm, yes, refresh tokens are long-lived. They don't expire by themselves, but can be revoked on demand.
Hope this helps!
While the PKCE flow is generally meant for client-side apps (and server-side apps would generally use the code flow) given the constraints in this case, using the PKCE flow seems reasonable and should work.
The issue you're running in to here is that you're calling /oauth2/token to perform 'grant_type=refresh_token' but are supplying the 'code_verifier' parameter. The 'code_verifier' parameter should only be provided for the initial 'grant_type=authorization_code'.
That is, the flow should look like this:
Also, to confirm, yes, refresh tokens are long-lived. They don't expire by themselves, but can be revoked on demand.
Hope this helps!
Yes, that works, thanks a lot. I thus indeed was close all that time. Could it be an idea to add a step 6 to the PKCE guide (https://dropbox.tech/developers/pkce--what-and-why-) or add a 4th example to https://www.dropbox.com/developers/documentation/http/documentation#oauth2-token ?
I'm not having any joy at all getting authorisation to work. As far as I can tell, I'm following the docs to the letter (though some of them are extremely difficult to read or interpret) and this coincides perfectly with the steps outlined earlier in this thread.
I'm trying to use the PKCE flow for a Wordpress plugin built in PHP. The docs say this is the best method to use where the code will be viewable by the public so you don't want to have your app secret used.
I construct a url to take the user to oauth2/authorize to authorise the app. The url has the following added in correct url encoded format:
response_type=code
client_id=<MYAPPID>
code_challenge=<CHALLENGE>
code_challenge_method=S256
(with the appropriate values in place of the placeholders above).
The user then returns to my app and types in the <CODE> they're given, and I then save it.
I then immediately use that <CODE> to try to get a token using oauth2/token. I'm using CURL for this. The headers I set are:
Accept: application/json Content-Type: application/x-www-form-urlencoded
Then for the data (sent in urlencoded format) I have
code=<CODE>
grant_type=authorization_code
code_verifier=<CHALLENGE>
client_id=<MYAPPID>
What I get back from Dropbox, though, is an error:
{"error_description": "invalid code verifier", "error": "invalid_grant"}
I keep trying different combinations of things, including with the headers, for about five minutes until the <CODE> expires and the error message changes to that. Then I have to re-authorise the app and circle around again. The encrypted code verifier I'm sending in the token request is exactly the same encrypted code verifier I sent with the authorisation url. So why the error?
This is doing my head in. Can anyone please help?
Delahoc,
I suggest you have a look at my code that you can find at https://www.drupal.org/project/backup_migrate_dropbox/releases/7.x-3.0, that should help you to construct the correct flow and requests and process the answers.
Thanks for the reply. I'm pretty sure I have the flow and requests correct. I'd love to check out your code, but that link you've provided gives a 404 Page Not Found error.
Remove the comma at the end, the forum software added that to my plain text link.
Thanks. I've taken a look at your code - very neat, btw.
I've extracted the code you used to build the unencoded verifier string and the encoded verifier code challenge, and inserted them both into my code. I've compared the verifier code in the authorisation url and in the token request and they are exactly the same. I'm still getting exactly the same error:
{"error_description": "invalid code verifier", "error": "invalid_grant"}
Here are the headers I'm sending with the token request:
HEADERS=Array ( [0] => Accept: application/json [1] => Content-Type: application/x-www-form-urlencoded )
Here is the data I'm paramatising onto the endpoint (oauth2/token) for the token request:
DATA=Array ( [grant_type] => authorization_code [code] => <AUTHORIZATIONCODE> [code_verifier] => <CODECHALLENGE> [client_id] => <CLIENTID> )
(I'm not using a REDIRECT_URI in either the authorisation URL or the token request as this is for a WordPress plugin that might get used on more than one site. This is apparently perfectly okay with Dropbox, according to their docs.)
I'm at a loss. If the CODECHALLENGE is exactly the same in both the authorisation URL and the token request, why on earth is it failing?
With the token request you should pass the code verifier, not the code challenge. Dropbox will hash it itself and compare it with the code challenge that it stored when the user granted access with the authorize request. note that the code verifier should be unique for each install of your plugin and should stay on that install and only be used to obtain a (long lived) refresh token.
Hope this helps
Thanks. That seems to have done the trick. I'm sure I tried that option once before, but I must have also had something else changed that also wasn't working.
Hi there!
If you need more help you can view your support options (expected response time for a ticket is 24 hours), or contact us on X or Facebook.
For more info on available support options for your Dropbox plan, see this article.
If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!