cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Want to learn some quick and useful tips to make your day easier? Check out how Calvin uses Replay to get feedback from other teams at Dropbox here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

API Error: invalid code verifier

API Error: invalid code verifier

delahoc
Explorer | Level 4
Go to solution

I'm not having any joy at all getting authorisation to work. As far as I can tell, I'm following the docs to the letter (though some of them are extremely difficult to read or interpret) and this coincides perfectly with the steps outlined in another thread (https://www.dropboxforum.com/t5/Discuss-Dropbox-Developer-API/What-way-of-authorization-to-use-for-a...).

 

I'm trying to use the PKCE flow for a Wordpress plugin built in PHP. The docs say this is the best method to use where the code will be viewable by the public so you don't want to have your app secret used.

 

I construct a url to take the user to oauth2/authorize to authorise the app. The url has the following added in correct url encoded format:

response_type=code

client_id=<MYAPPID>

code_challenge=<CHALLENGE>

code_challenge_method=S256

(with the appropriate values in place of the placeholders above).

 

The user then returns to my app and types in the <CODE> they're given, and I then save it.

 

I then immediately use that <CODE> to try to get a token using oauth2/token. I'm using CURL for this. The headers I set are:

Accept: application/json
Content-Type: application/x-www-form-urlencoded

Then for the data (sent in urlencoded format) I have

code=<CODE>
grant_type=authorization_code
code_verifier=<CHALLENGE>
client_id=<MYAPPID>

What I get back from Dropbox, though, is an error:

{"error_description": "invalid code verifier", "error": "invalid_grant"}

I keep trying different combinations of things, including with the headers,  for about five minutes until the <CODE> expires and the error message changes to that. Then I have to re-authorise the app and circle around again. The encrypted code verifier I'm sending in the token request is exactly the same encrypted code verifier I sent with the authorisation url. So why the error?

 

This is doing my head in. Can anyone please help?

1 Accepted Solution

Accepted Solutions

Greg-DB
Dropbox Staff
Go to solution

I see someone already helped you sort this out in another thread. Here's the link for anyone else looking for the answer.

View solution in original post

1 Reply 1

Greg-DB
Dropbox Staff
Go to solution

I see someone already helped you sort this out in another thread. Here's the link for anyone else looking for the answer.

Need more support?
Who's talking

Top contributors to this post

  • User avatar
    Greg-DB Dropbox Staff
What do Dropbox user levels mean?