"App Authentication" for App (without tokens). Yet another migration from long lived tokens question

lalomores · ‎03-07-2022

Hi there! I see there have been a lot of questions in the forum on this topic, so I'll just cut to the chase.

My app is made in Meteor (NodeJS) and React. Clients of my app do not need to handle files, just see them. Files are not client related, only related to my Dropbox App and corresponding Dropbox app folder.

Checking the Authentication Types the most obvious candidate to replace my long lived token, seems to be "App Authentication": "This type only uses the app's own app key and secret, and doesn't identify a specific user or team". That's perfect. I can safely provide app key and secret in the server exclusively, as the client will never need those. The question is how do I achieve that type of auth?

In the js sdk, I only found this example using app key and secret, yet afterwards it goes through the oauth process in the browser anyways. If I don't do that oauth part, I get an error [*] as a result of calling dbx.filesListFolders({ path: '', recursive: true }):

Any ideas what may I be missing?

[*]:

"error": {

"name": "DropboxResponseError",

"status": 409,

"headers": {},

"error": {

"error_summary": "path/unsupported_content_type/...",

"error": {

".tag": "path",

"path": {

".tag": "unsupported_content_type"

}

dwissing · ‎05-11-2022

Thank you. I think I have it now.

I was thinking that you needed to already have the authenticated token before creating the new Dropbox object.

I didn't realize you could create an un-authenticated dbx object, and the call a method on it to authenticate.

I appreciate your patience and help. 🙂

maxcastrovidal · ‎06-22-2022

Hello,

It seems that it is not true that the RefreshToken have permanent duration.

I got a Refresh Token by calling from my browser the url https://www.dropbox.com/oauth2/authorize?client_id=xxxxxxx&response_type=code

Then i used postman to get a short-lived access token using a POST call to the url https://api.dropboxapi.com/oauth2/token using the requered paramethers (Refresh token included)

After the short-lived access token finishes his useful life (4 hours) i ran again the same Postman Call (with the same parameters) to get a new short-lived access token, but now the response is

{

"error": "invalid_grant",

"error_description": "code doesn't exist or has expired"

}

Can you helpme please to solve tis issue?... i spent many hour trying to automate mi process but still i can't.

Здравко · ‎06-22-2022

Hi @maxcastrovidal,

Don't have any doubts - refresh token doesn't expire by itself.

@maxcastrovidal wrote:
...
After the short-lived access token finishes his useful life (4 hours) i ran again the same Postman Call (with the same parameters) to get a new short-lived access token, but now the response is
{
"error": "invalid_grant",
"error_description": "code doesn't exist or has expired"
}
...

👍Yes you are on the right track, you need to refresh (to create anew) your short-lived access token from the refresh token you already have. But... 🤔 Why are you using already expired code used formerly to get to the refresh token???! Once again, you already have this refresh token! Even more, code used to get this token is "single shoot" (i.e. once used, you can't use it any more and don't need actually).

Don't try to "refresh" refresh token itself, if you are trying this! You need to refresh the access token! Access token refreshing doesn't need "code", but a refresh token instead. 😉 Check what granting type you have selected (may be a copy/paste error - grant types for refresh token and access token are different).

Hope this helps.

By the way, using:

@maxcastrovidal wrote:
...
I got a Refresh Token by calling from my browser the url https://www.dropbox.com/oauth2/authorize?client_id=xxxxxxx&response_type=code
...

... you will never get any refresh token!!! You have to specify explicitly offline access! Something like:

https://www.dropbox.com/oauth2/authorize?token_access_type=offline&response_type=code&client_id=<App key>

In your situation whatever you are counting as a refresh token, it's not! 🤷

Greg-DB · ‎06-23-2022

@maxcastrovidal Здравко is correct; in short, it sounds like you're attempting to use the "authorization code" more than once. The authorization code can only be used once. Once you get the refresh token, you should store and re-use that, not the authorization code, to get new short-lived access tokens whenever needed, via /oauth2/token with grant_type=refresh_token.

maxcastrovidal · ‎06-27-2022

Thanks @Здравко and @Greg-DB for you comments... Basically I had to add the token_access_type=offline parameter to the oauth2.authorize end point and set correct values in the first/followins calls to the oauth2.token endpoint.

Still I think that's a cumbersome process, but at least i was able to do my job.

Thanks a lot again

"App Authentication" for App (without tokens). Yet another migration from long lived tokens question

"App Authentication" for App (without tokens). Yet another migration from long lived tokens question

Top contributors to this post