cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community
English
Announcements
Want to learn some quick and useful tips to make your day easier? Check out how Calvin uses Replay to get feedback from other teams at Dropbox here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Dropbox not sending refresh_token using new OAuth2 flow

Labels:

Dropbox not sending refresh_token using new OAuth2 flow

Vicne
Explorer | Level 4
‎06-29-2020 03:36 AM
Go to solution

Hi,

 

(Sorry I first posted this as a reply to this "solved" topic, which was a bad idea because it's mostly unrelated)

 

I'm developing a "native" app (called Ginj), and started Dropbox integration a few weeks ago.

I first used Dropbox's Java API for authorization, using PKCE and "copy/paste" from browser to app, and it seemed to work pretty well but now it seems I'm forced to re-authorize regularly.

After checking the received tokens, they are now indeed short-lived "sl-..." tokens, so I decided to call the REST OAuth API myself to see if I could implement the updated flow, and also get rid of the copy/paste step.

I think I'm nearly done, but when exchanging the received code for tokens, the response I'm getting contains an "access_token", but no "refresh_token" and no "expires_in". 

Now the access token seems to be "long lived" again, but I'm reading non-expiring tokens are getting deprecated, so I'd rather switch to the refresh logic while I'm at it...

How can I get a refresh_token ?

 

KR, 

Vicne

Labels:
  • 0 Likes
  • 2 Replies
  • 3,902 Views
0 Likes
1 Accepted Solution

Accepted Solutions

Greg-DB
Dropbox Staff
‎06-29-2020 11:30 AM
Go to solution

We recommend just using the official SDKs whenever possible, as they'll do most of the work for you, but you can certainly use the HTTPS endpoints directly if you'd like.

 

You can find information on this in the authorization documentation, as well as the new OAuth Guide.

 

Most apps currently default to long-lived access tokens, but if you want to start using short-lived access tokens, you should set the 'token_access_type' parameter on your /oauth2/authorize URL. You can find information on using that in the /oauth2/authorize documentation. Specifically, to get short-lived tokens with a refresh token, you should set it to "offline".

View solution in original post

2 Replies 2

Greg-DB
Dropbox Staff
‎06-29-2020 11:30 AM
Go to solution

We recommend just using the official SDKs whenever possible, as they'll do most of the work for you, but you can certainly use the HTTPS endpoints directly if you'd like.

 

You can find information on this in the authorization documentation, as well as the new OAuth Guide.

 

Most apps currently default to long-lived access tokens, but if you want to start using short-lived access tokens, you should set the 'token_access_type' parameter on your /oauth2/authorize URL. You can find information on using that in the /oauth2/authorize documentation. Specifically, to get short-lived tokens with a refresh token, you should set it to "offline".

Vicne
Explorer | Level 4
‎07-02-2020 01:29 PM
Go to solution

Yes, that was it.

Adding "token_access_type=offline" to the authorize url at the beginning of the transaction resulted in both a short-lived access token with a lifetime of 1440s (4h) and a refresh_token that I'll be able to use once the access_token is outdated.

 

Thanks for the great support.

 

Vicne

0 Likes
Need more support?
Who's talking

Top contributors to this post

  • User avatar
    Vicne Explorer | Level 4
  • User avatar
    Greg-DB Dropbox Staff
What do Dropbox user levels mean?