I'm writing an app in Python, that needs to access the Dropbox APIv2. However, if I follow the typical OAuth flow for user authentication, I will have to include my APP_KEY and APP_SECRET in the source code -practically sharing it with anyone willing to have a look.
What is the suggested way of authentication users in a similar setup?
This is a general problem with using OAuth in client-side applications, since client-side apps like this can't keep secrets. OAuth 2 addresses this with the "token" or "implicit" flow. When using the token flow (as opposed to the "code" flow), the app doesn't need the app secret to get an access token for the user. You can find more information on the different flows in the documentation here:
For a client-side app like this, you should use the token flow. Also, you didn't mention if you're using it, but for reference, the official Dropbox Python SDK is mainly meant for server-side apps, where the secret can be kept secret, so it doesn't support the token flow.
We love to learn from the educators who use Dropbox. Whether you teach kids, teens, adults or a combination of all three, we want to know what apps and integrations you use with Dropbox to help with teaching. Which of the ones below is your favorite, or most used tool?