What way of authorization to use for a (PHP) open source module

fietserwin · ‎03-04-2021

I am the developer of the Drupal module Backup & migrate Dropbox that extends the "Backup and migrate" module to store backups on Dropbox. So this module:

is open source, so I cannot put the App secret in my code.
installed on web servers of which I cannot know the domain names, so I cannot define redirect uri's for all those domains.
runs via some admin screens but mainly via cron jobs (unattended), so I need a way to work with long lived tokens/codes.
I am not part of an organization that can or wants to provide an intermediate site for the redirect uri (and storage of long lived codes/tokens? Keeper of App secret?) .
The current version requires users to each create their own App and generate a long lived token on their App console.

I am developing a new version that should use the newer oauth2 way of obtaining authorization. Given the above, it seems that the PKCE flow is the way to go, but is this possible? I arrive at getting a user copied and pasted (short lived) acces code, use that to get a 1st (short lived) bearer token and (presumably long lived) refresh token, but after the access code and bearer token have expired and I use the refresh token to get a new bearer token I get the error:

Request sent:

 https://api.dropbox.com/oauth2/token
   body = refresh_token=8p************************************************************eI
&grant_type=refresh_token
&code_verifier=wE***************************************pU
&client_id=2b***********6x

Response received (invalid json as all \ were removed to improve readability):

body: {"error_description": "unknown field "code_verifier"", "error": "invalid_request"}"
response code: 400

Is what I want possible? If so, how? Or what is the way to go?

Thanks for any help on this.

Greg-DB · ‎03-04-2021

While the PKCE flow is generally meant for client-side apps (and server-side apps would generally use the code flow) given the constraints in this case, using the PKCE flow seems reasonable and should work.

The issue you're running in to here is that you're calling /oauth2/token to perform 'grant_type=refresh_token' but are supplying the 'code_verifier' parameter. The 'code_verifier' parameter should only be provided for the initial 'grant_type=authorization_code'.

That is, the flow should look like this:

The user is directed to /oauth2/authorize
The user approves the app
The user copies the authorization code from the Dropbox web site into the app
The app calls /oauth2/token supplying 'code' set to the authorization code, 'grant_type=authorization_code', 'code_verifier' set to the code verifier, and 'client_id' set to the app key, just once per authorization flow.
The app uses the short-lived access token to make API calls.
The app calls /oauth2/token supplying 'refresh_token' set to the refresh token, 'grant_type=refresh_token', and 'client_id' set to the app key, but not 'code_verifier', repeatedly whenever a new short-lived access token is needed.

Also, to confirm, yes, refresh tokens are long-lived. They don't expire by themselves, but can be revoked on demand.

Hope this helps!

View solution in original post

Greg-DB · ‎03-04-2021

While the PKCE flow is generally meant for client-side apps (and server-side apps would generally use the code flow) given the constraints in this case, using the PKCE flow seems reasonable and should work.

The issue you're running in to here is that you're calling /oauth2/token to perform 'grant_type=refresh_token' but are supplying the 'code_verifier' parameter. The 'code_verifier' parameter should only be provided for the initial 'grant_type=authorization_code'.

That is, the flow should look like this:

The user is directed to /oauth2/authorize
The user approves the app
The user copies the authorization code from the Dropbox web site into the app
The app calls /oauth2/token supplying 'code' set to the authorization code, 'grant_type=authorization_code', 'code_verifier' set to the code verifier, and 'client_id' set to the app key, just once per authorization flow.
The app uses the short-lived access token to make API calls.
The app calls /oauth2/token supplying 'refresh_token' set to the refresh token, 'grant_type=refresh_token', and 'client_id' set to the app key, but not 'code_verifier', repeatedly whenever a new short-lived access token is needed.

Also, to confirm, yes, refresh tokens are long-lived. They don't expire by themselves, but can be revoked on demand.

Hope this helps!

fietserwin · ‎03-04-2021

Yes, that works, thanks a lot. I thus indeed was close all that time. Could it be an idea to add a step 6 to the PKCE guide (https://dropbox.tech/developers/pkce--what-and-why-) or add a 4th example to https://www.dropbox.com/developers/documentation/http/documentation#oauth2-token ?

delahoc · ‎05-28-2021

I'm not having any joy at all getting authorisation to work. As far as I can tell, I'm following the docs to the letter (though some of them are extremely difficult to read or interpret) and this coincides perfectly with the steps outlined earlier in this thread.

I'm trying to use the PKCE flow for a Wordpress plugin built in PHP. The docs say this is the best method to use where the code will be viewable by the public so you don't want to have your app secret used.

I construct a url to take the user to oauth2/authorize to authorise the app. The url has the following added in correct url encoded format:

response_type=code

client_id=<MYAPPID>

code_challenge=<CHALLENGE>

code_challenge_method=S256

(with the appropriate values in place of the placeholders above).

The user then returns to my app and types in the <CODE> they're given, and I then save it.

I then immediately use that <CODE> to try to get a token using oauth2/token. I'm using CURL for this. The headers I set are:

Accept: application/json
Content-Type: application/x-www-form-urlencoded

Then for the data (sent in urlencoded format) I have

code=<CODE>
grant_type=authorization_code
code_verifier=<CHALLENGE>
client_id=<MYAPPID>

What I get back from Dropbox, though, is an error:

{"error_description": "invalid code verifier", "error": "invalid_grant"}

I keep trying different combinations of things, including with the headers, for about five minutes until the <CODE> expires and the error message changes to that. Then I have to re-authorise the app and circle around again. The encrypted code verifier I'm sending in the token request is exactly the same encrypted code verifier I sent with the authorisation url. So why the error?

This is doing my head in. Can anyone please help?

fietserwin · ‎05-29-2021

Delahoc,

I suggest you have a look at my code that you can find at https://www.drupal.org/project/backup_migrate_dropbox/releases/7.x-3.0, that should help you to construct the correct flow and requests and process the answers.

delahoc · ‎05-29-2021

Thanks for the reply. I'm pretty sure I have the flow and requests correct. I'd love to check out your code, but that link you've provided gives a 404 Page Not Found error.

fietserwin · ‎05-29-2021

Remove the comma at the end, the forum software added that to my plain text link.

delahoc · ‎05-29-2021

Thanks. I've taken a look at your code - very neat, btw.

I've extracted the code you used to build the unencoded verifier string and the encoded verifier code challenge, and inserted them both into my code. I've compared the verifier code in the authorisation url and in the token request and they are exactly the same. I'm still getting exactly the same error:

{"error_description": "invalid code verifier", "error": "invalid_grant"}

Here are the headers I'm sending with the token request:

HEADERS=Array
(
    [0] => Accept: application/json
    [1] => Content-Type: application/x-www-form-urlencoded
)

Here is the data I'm paramatising onto the endpoint (oauth2/token) for the token request:

DATA=Array
(
    [grant_type] => authorization_code
    [code] => <AUTHORIZATIONCODE>
    [code_verifier] => <CODECHALLENGE>
    [client_id] => <CLIENTID>
)

(I'm not using a REDIRECT_URI in either the authorisation URL or the token request as this is for a WordPress plugin that might get used on more than one site. This is apparently perfectly okay with Dropbox, according to their docs.)

I'm at a loss. If the CODECHALLENGE is exactly the same in both the authorisation URL and the token request, why on earth is it failing?

fietserwin · ‎05-30-2021

With the token request you should pass the code verifier, not the code challenge. Dropbox will hash it itself and compare it with the code challenge that it stored when the user granted access with the authorize request. note that the code verifier should be unique for each install of your plugin and should stay on that install and only be used to obtain a (long lived) refresh token.

Hope this helps

delahoc · ‎05-30-2021

Thanks. That seems to have done the trick. I'm sure I tried that option once before, but I must have also had something else changed that also wasn't working.

What way of authorization to use for a (PHP) open source module

What way of authorization to use for a (PHP) open source module

Top contributors to this post