cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
If you’ve changed your email address, now's the perfect time to update it on your Dropbox account and we’re here to help! Learn more here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

C# Dropbox.API File Upload Errors

C# Dropbox.API File Upload Errors

gregarican
Explorer | Level 4
Go to solution

I'm using the most recent NuGet package for my VS 2019 project. My app has worked consistently for several years now. But recently I have logged errors when invoking the client.Files.UploadAsync() method. The underlying exception appears as The request was aborted: Could not create SSL/TLS secure channel. I have debugged my code and can see an access token is being provided so the API call is correctly authenticated. 

 

These errors are spotty, and don't happen consistently. At first I thought there was an issue with my WebView2 control I use in order to ensure that OAuth2 is properly functioning. But that has been eliminated, as I can verify that the access token is there. Now doing some additional troubleshooting and code changes I am getting back an error stating the access token has expired.

 

Did something recently change in terms of the API endpoint and its behavior?   

1 Accepted Solution

Accepted Solutions

Greg-DB
Dropbox Staff
Go to solution

Yes, for the official Dropbox API v2 .NET SDK, you can find an example of using the new authorization functionality in the OauthBasic example (non-PKCE, meant for server-side apps) as well as in the OAuthPKCE example (PKCE, meant for client-side apps).

View solution in original post

11 Replies 11

gregarican
Explorer | Level 4
Go to solution

I think I might have stumbled upon what's going on. First off, I needed to ensure I am enforcing TLS 1.2 throughout my project. Previously it was just defined within the initial OAuth2 form's method. Secondly, I have read on the community posts that the access tokens now have shorter expiration times compared to previously. Strange that just now in 2022 I'm running into that mechanism. Most of the community posts were from a year or more ago where developers ran into this happening.

 

Between both elements I hope to have things patched up for my project. Time and testing will certainly tell. 😀

Greg-DB
Dropbox Staff
Go to solution

Yes, that "Could not create SSL/TLS secure channel" error indicates this is due to a problem establishing the secure connection between your client and the Dropbox API servers. Specifically, Dropbox recently retired support for TLS 1.0 and 1.1. The Dropbox API servers now only support connections using TLS 1.2. You'll need to update your app/network client/environment to use TLS 1.2 in order to continue making Dropbox API calls.

 

For your client/environment, please refer to the relevant documentation for information on enabling the relevant platform support. For example, Microsoft in particular appears to have some resources here which may be helpful:
 

 

Additionally, technically unrelated to the TLS issue, Dropbox is in the process of switching to only issuing short-lived access tokens (and optional refresh tokens) instead of long-lived access tokens. You can find more information on this migration here.

Apps can still get long-term access by requesting "offline" access though, in which case the app receives a "refresh token" that can be used to retrieve new short-lived access tokens as needed, without further manual user intervention. You can find more information in the OAuth Guide and authorization documentation.

For reference, while the creation of new long-lived access tokens is now deprecated, we don't currently have a plan to disable existing long-lived access tokens. (If that changes, we will of course announce that ahead of time.) That being the case, you can continue using existing long-lived access token(s) without interruption, if you have any. Also, note though that after the change you won't be able to create new long-lived access tokens.

While the change began on September 30th 2021, we're releasing it gradually, so you may not have seen your app(s) affected until now. Once it applies to your app, it would apply regardless of the "Access token expiration" setting for your app, and that setting may no longer be available for your app.

gregarican
Explorer | Level 4
Go to solution

Thanks for all of the info! Very insightful. Now since I am using the Dropbox.API NuGet package, could you point me to any examples of tokenization using the "new" mechanism that's being rolled out? 

Greg-DB
Dropbox Staff
Go to solution

Yes, for the official Dropbox API v2 .NET SDK, you can find an example of using the new authorization functionality in the OauthBasic example (non-PKCE, meant for server-side apps) as well as in the OAuthPKCE example (PKCE, meant for client-side apps).

gregarican
Explorer | Level 4
Go to solution

I downloaded the SDK and compiled the OAuthPKCE project. Apparently invoking the HttpListener.Start() method requires elevated privileges. Getting an Error Code: 5 - Access Denied. I'll try to ferret out the logic behind the sample code and implement it outside of the mechanism used in the sample project. Since my client-side app is a basic Click Once deployment that runs at the user level. And our endusers definitely don't have local admin rights to their PC's. 😀  

 

Also, reviewing the sample projects, it appears as if when a token has expired the routine to acquire a new one is invoking a web browser window in order to complete the OAuth process? So every 4 hours an enduser would be guided through that process, correct? The app I have is used for uploading scanned documents from dedicated endusers. These endusers have the app up all of the workday and are scanning multiple documents. So worst-case a few times a day they would have to run through the OAuth process again? I realize if I just work with the raw API I could likely use static App Authentication (https://www.dropbox.com/developers/reference/auth-types) and forego the entire OAuth process if push came to shove...  

Greg-DB
Dropbox Staff
Go to solution

No, when requesting "offline" access, the app receives a "refresh token" that can be used to retrieve new short-lived access tokens whenever, without manual user interaction (that is, the user doesn't need to repeatedly re-authorize the app once the app has the refresh token). The .NET SDK will perform that refresh process (getting new short-lived access tokens) automatically for you.

gregarican
Explorer | Level 4
Go to solution

Okay, I'm making headway recoding my project to account for the new mechanism. I'm hitting a stumbling block trying to perform the second half of the initial OAuth2 process. Taking the code that's supplied in the URI and getting the refresh token. Below is a code snippet. I'm using a WebView2 form to run through the process, since it can run as user-level and doesn't require local admin rights.

 

The choke point is when my routine hits the ProcessCodeFlowAsync() step. It consistently comes back with an invalid_grant exception. I've run across other posts on here where there were multiple calls going on, and the duplication was leading to this. But I'm only initially hitting this step once, when I first launch my app.

 

Any suggestions on where to go from here? I do appreciate all of your timely assistance. It's been very helpful!

 

private async void Start(string appKey, string appPwd)
{
this.ApiKey = appKey;
this.ApiPwd = appPwd;
this.oauth2State = Guid.NewGuid().ToString("N");
var authorizeUri = DropboxOAuth2Helper.GetAuthorizeUri(OAuthResponseType.Code, appKey, new Uri(RedirectUri), state: oauth2State, tokenAccessType: TokenAccessType.Offline);
await this.Browser.EnsureCoreWebView2Async(null);
this.Browser.CoreWebView2.Navigate(authorizeUri.ToString());
this.Visibility = Visibility.Visible;
this.Focus();
}

private void BrowserNavigating(object sender, CoreWebView2NavigationStartingEventArgs e)
{
if (!e.Uri.ToString().StartsWith(RedirectUri, StringComparison.OrdinalIgnoreCase))
{
// we need to ignore all navigation that isn't to the redirect uri.
return;
}

try
{
var uri = new Uri(e.Uri, UriKind.Absolute);
var queryParm = uri.Query;
var code = queryParm.Split('=')[1];
var tokenResult = Task.Run(() => DropboxOAuth2Helper.ProcessCodeFlowAsync(responseUri: uri, appKey: this.ApiKey, appSecret: this.ApiPwd, state: this.oauth2State)).Result;
this.AccessToken = tokenResult.AccessToken;
this.RefreshToken = tokenResult.RefreshToken;
this.UserId = tokenResult.Uid;
this.Result = true;
}
catch (ArgumentException)
{
// There was an error in the code being processed.
}
finally
{
e.Cancel = true;
this.Close();
}
}

Greg-DB
Dropbox Staff
Go to solution

An 'invalid_grant' error can indicate that the values you're supplying to ProcessCodeFlowAsync don't match the configuration used with GetAuthorizeUri to get that particular authorization. For instance, I see you're using a redirect URI ('new Uri(RedirectUri)') with GetAuthorizeUri. In that case, you need to supply that same redirect URI to ProcessCodeFlowAsync to validate that request.

 

That is, in addition to setting the 'responseUri' parameter on ProcessCodeFlowAsync, you should set 'redirectUri' as well (matching the 'redirectUri' value you gave to GetAuthorizeUri).

 

By the way, I should mention that we don't officially support processing the OAuth app authorization flow in a web view. The OAuth app authorization flow should be processed in the user's system browser. See here for more information. It sounds like we don't have a full sample app that meets your use case exactly, but I have a post here with some information that may be helpful.

gregarican
Explorer | Level 4
Go to solution

That did the trick! I just modified the one line for that second step so it's now below (added the argument in bold italics):

 

var tokenResult = Task.Run(() => DropboxOAuth2Helper.ProcessCodeFlowAsync(responseUri: uri, appKey: this.ApiKey, appSecret: this.ApiPwd, state: this.oauth2State, redirectUri: RedirectUri)).Result;

 

Now previously I was only connecting to the API by checking tokens when first launching my app. You're saying my client will automatically pull new access tokens once the old ones expire? So the refresh token remains static and the access token is automatically refreshed?

 

Here is my code where I instantiate the client when the app first launches. 

 

DropboxCertHelper.InitializeCertPinning();

DropboxClient client;

 

var httpClient = new HttpClient(new WebRequestHandler { ReadWriteTimeout = 10 * 1000 })
{
Timeout = TimeSpan.FromMinutes(20)
};

 

var config = new DropboxClientConfig("DcDocScanner")
{
HttpClient = httpClient
};

 

config.HttpClient.Timeout = new TimeSpan(0, 5, 0);

client = new DropboxClient(Properties.Settings.Default.AccessToken, Properties.Settings.Default.RefreshToken, Properties.Settings.Default.DropboxApiKey, Properties.Settings.Default.DropboxApiPwd, config);

Need more support?
Who's talking

Top contributors to this post

  • User avatar
    gregarican Explorer | Level 4
  • User avatar
    Greg-DB Dropbox Staff
What do Dropbox user levels mean?