Dropbox API Support & Feedback
Find help with the Dropbox API from other developers.
I am trying to utilize the PKCE in a background script of chrome extension
example shows the following:
curl https://api.dropbox.com/oauth2/token \
-d code=<AUTHORIZATION_CODE> \
-d grant_type=authorization_code \
-d code_verifier=<CODE_VERIFIER> \
-d client_id=<APP_KEY>
my code:
var dbxParams = new URLSearchParams({
client_id: client_id,
grant_type: "authorization_code",
code: access_code,
code_verifier: code_verifier,
});
var url = "https://api.dropbox.com/oauth2/token";
fetch(url, {
method: 'POST',
body: dbxParams
})
.then(function(response){
return response.json()
})
.then(function (data) {
console.log('Request succeeded with JSON response', data);
})
.catch(function (error) {
console.log('Request failed', error);
});
{"error_description": "No auth function available for given request", "error": "invalid_request"}
can you help?
Using that payload (though plugging in my own test client ID since you redacted yours), I still didn't get that error on https://reqbin.com/req/v0crmky0/rest-api-post-example . I instead got "code doesn't exist or has expired" as expected, since authorization codes are single-use and expire after a few minutes. Here's a screenshot showing the raw request and response there:
Just to double check, are you getting "code doesn't exist or has expired" or "No auth function available for given request" if you do the same there?
yes,
i experience the same behavior
if using an expired code i get the same error "code doesn't exist or has expired":
HTTP/1.1 400 Bad Request
Content-Security-Policy: sandbox allow-forms allow-scripts
Content-Type: application/json
Accept-Encoding: identity,gzip
Date: Wed, 12 Jan 2022 02:27:14 GMT
Server: envoy
Content-Length: 84
X-Dropbox-Response-Origin: far_remote
X-Dropbox-Request-Id: 7ff4794a94a846b0bfcbc750fbe48fd5
{"error": "invalid_grant", "error_description": "code doesn't exist or has expired"}
however
if using a working code i get:
HTTP/1.1 400 Bad Request
Content-Security-Policy: sandbox allow-forms allow-scripts
Content-Type: application/json
Accept-Encoding: identity,gzip
Date: Wed, 12 Jan 2022 02:25:18 GMT
Server: envoy
Content-Length: 97
X-Dropbox-Response-Origin: far_remote
X-Dropbox-Request-Id: 320762d3550c4d8a8e9e46a5ddc6b091
{"error": "invalid_request", "error_description": "No auth function available for given request"}
is there a way we can debug this online together?
maybe in an online meeting?
Thanks! That's helpful. I believe I see what's causing this now. Can you check what /oauth2/authorize URL you're using? Since you're trying to use the PKCE flow, you need to include the code_challenge and code_challenge_method parameters. If you don't include those though, this effectively becomes the non-PKCE flow, in which case when you don't supply the client_secret value when calling /oauth2/token, you'll get this "No auth function available for given request" error (since the non-PKCE flow requires the client secret).
So, in order to use the PKCE flow, make sure you're including the code_challenge and code_challenge_method parameters on your /oauth2/authorize URL when retrieving the authorization code.
yes!
that was the problem
my apologies I missed these arguments in the request URL
however,
i am now getting the error
{error: 'invalid_grant', error_description: 'invalid code verifier'}
The URL includes both code_challenge and code_challenge_method
and looks like:
https://www.dropbox.com/oauth2/authorize?response_type=code&client_id=<client_id>&code_challenge=<code_challenge>&code_challenge_method=S256
and the parameters sent to oauth2/token are:
client_id=<client_id>&grant_type=authorization_code&code=<auth code from dropbox>&code_verifier=<128 char verifier>
i also made sure that <code challenge> is a SHA256 hash of <128 char verifier> by testing it at https://emn178.github.io/online-tools/sha256.html
what am i missing?
The S256 method can be difficult to implement exactly correctly in code, and that tool you linked to is made by a third party so I can't say if it's producing exactly the format required for the OAuth 2 flow. You can refer to the code in the official Dropbox API v2 JavaScript SDK where this is done though. Alternatively, you could use the "plain" method (where the code challenge is just the code verifier) instead.
By the way, I don't know exactly what was contained in the cookies in the screenshot you posted, and I redacted them from the image anyway, but just to be safe, you may want to delete any old web browser sessions, as well as sign out of your current one, to invalidate any such cookies.
plain works well
thanks
the example given at https://dropbox.tech/developers/pkce--what-and-why- refers to node.js and is not valid in browsers
can you please show an example that will be valid in such environment as browsers?
thanks
The API v2 JavaScript SDK supports both browser and node environments, so I recommend checking out that code.
will check it
thanks for your help, it is much appriciated!
Hi there!
If you need more help you can view your support options (expected response time for a ticket is 24 hours), or contact us on X or Facebook.
For more info on available support options for your Dropbox plan, see this article.
If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!