cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Want to learn some quick and useful tips to make your day easier? Check out how Calvin uses Replay to get feedback from other teams at Dropbox here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Re: Can't get PKCE access token uses javascript fetch request

Can't get PKCE access token uses javascript fetch request

ancso
Helpful | Level 6
Go to solution

I am trying to utilize the PKCE in a background script of chrome extension
example shows the following:

 

curl https://api.dropbox.com/oauth2/token \
 -d code=<AUTHORIZATION_CODE> \
 -d grant_type=authorization_code \
 -d code_verifier=<CODE_VERIFIER> \
 -d client_id=<APP_KEY>

 

my code:

 

 var dbxParams = new URLSearchParams({
    client_id:      client_id,
    grant_type:     "authorization_code",
    code:           access_code,
    code_verifier:  code_verifier,
  });
   var url = "https://api.dropbox.com/oauth2/token";

  fetch(url, {
    method: 'POST',
    body: dbxParams
  })
  .then(function(response){
    return response.json()
  })
  .then(function (data) {
    console.log('Request succeeded with JSON response', data);
  })
  .catch(function (error) {
    console.log('Request failed', error);
  });

 

i always get the same reply:

 

{"error_description": "No auth function available for given request", "error": "invalid_request"}
​

 

can you help?

 

18 Replies 18

Greg-DB
Dropbox Staff
Go to solution

Using that payload (though plugging in my own test client ID since you redacted yours), I still didn't get that error on https://reqbin.com/req/v0crmky0/rest-api-post-example . I instead got "code doesn't exist or has expired" as expected, since authorization codes are single-use and expire after a few minutes. Here's a screenshot showing the raw request and response there:

 

Screen Shot 2022-01-11 at 3.01.04 PM.png

Just to double check, are you getting "code doesn't exist or has expired" or "No auth function available for given request" if you do the same there?

ancso
Helpful | Level 6
Go to solution

yes,
i experience the same behavior
if using an expired code i get the same error "code doesn't exist or has expired":

HTTP/1.1 400 Bad Request
Content-Security-Policy: sandbox allow-forms allow-scripts
Content-Type: application/json
Accept-Encoding: identity,gzip
Date: Wed, 12 Jan 2022 02:27:14 GMT
Server: envoy
Content-Length: 84
X-Dropbox-Response-Origin: far_remote
X-Dropbox-Request-Id: 7ff4794a94a846b0bfcbc750fbe48fd5

{"error": "invalid_grant", "error_description": "code doesn't exist or has expired"}


however
if using a working code i get:

HTTP/1.1 400 Bad Request
Content-Security-Policy: sandbox allow-forms allow-scripts
Content-Type: application/json
Accept-Encoding: identity,gzip
Date: Wed, 12 Jan 2022 02:25:18 GMT
Server: envoy
Content-Length: 97
X-Dropbox-Response-Origin: far_remote
X-Dropbox-Request-Id: 320762d3550c4d8a8e9e46a5ddc6b091

{"error": "invalid_request", "error_description": "No auth function available for given request"}

 

ancso
Helpful | Level 6
Go to solution

is there a way we can debug this online together?
maybe in an online meeting?

Greg-DB
Dropbox Staff
Go to solution

Thanks! That's helpful. I believe I see what's causing this now. Can you check what /oauth2/authorize URL you're using? Since you're trying to use the PKCE flow, you need to include the code_challenge and code_challenge_method parameters. If you don't include those though, this effectively becomes the non-PKCE flow, in which case when you don't supply the client_secret value when calling /oauth2/token, you'll get this "No auth function available for given request" error (since the non-PKCE flow requires the client secret).

 

So, in order to use the PKCE flow, make sure you're including the code_challenge and code_challenge_method parameters on your /oauth2/authorize URL when retrieving the authorization code.

ancso
Helpful | Level 6
Go to solution

yes!
that was the problem
my apologies I missed these arguments in the request URL

 

however,
i am now getting the error 

 

{error: 'invalid_grant', error_description: 'invalid code verifier'}

 

 

The URL includes both code_challenge and code_challenge_method
and looks like:

 

https://www.dropbox.com/oauth2/authorize?response_type=code&client_id=<client_id>&code_challenge=<code_challenge>&code_challenge_method=S256

 


and the parameters sent to oauth2/token are:

 

client_id=<client_id>&grant_type=authorization_code&code=<auth code from dropbox>&code_verifier=<128 char verifier>

 

 

i also made sure that <code challenge> is a SHA256 hash of <128 char verifier> by testing it at https://emn178.github.io/online-tools/sha256.html

what am i missing?

Greg-DB
Dropbox Staff
Go to solution

The S256 method can be difficult to implement exactly correctly in code, and that tool you linked to is made by a third party so I can't say if it's producing exactly the format required for the OAuth 2 flow. You can refer to the code in the official Dropbox API v2 JavaScript SDK where this is done though. Alternatively, you could use the "plain" method (where the code challenge is just the code verifier) instead.

 

By the way, I don't know exactly what was contained in the cookies in the screenshot you posted, and I redacted them from the image anyway, but just to be safe, you may want to delete any old web browser sessions, as well as sign out of your current one, to invalidate any such cookies.

ancso
Helpful | Level 6
Go to solution

plain works well
thanks

the example given at https://dropbox.tech/developers/pkce--what-and-why- refers to node.js and is not valid in browsers
can you please show an example that will be valid in such environment as browsers?
thanks

Greg-DB
Dropbox Staff
Go to solution

The API v2 JavaScript SDK supports both browser and node environments, so I recommend checking out that code.

ancso
Helpful | Level 6
Go to solution

will check it
thanks for your help, it is much appriciated!

Need more support?