Re: Forced to make all users Team Admins? "You must be a team administrator to authorize this

Tech Dev Oldsmar · ‎01-12-2021

Good morning:

Transitioning to short-lived token with a snag. The "no expiration" token currently used in the 10-person dev environment is working perfect to upload/download/save, etc.... files/folders in a shared teams environment.

Got oauth2 working for me and my other user with Team Administrator access. The app must obviously have scoped access to the shared folders:

I bought another business license to create a test user without teams admin access and (like my other 8 users). Without admin access, I cannot register the app. I get this error:

I use the DBX API for an intranet and manage access through Azure AD so I have precise control of how folders are created, files saved, etc.... I'd like the API available to regular business DBX users without making them Team Administrators. I'm skirting this right now in production with the non-expiring token but those days are numbered.

Any ideas? Thanks in advance.

Greg-DB · ‎01-12-2021

This error is about which scopes are being requested. For reference, scoped apps can use two main kinds of scopes: "Individual" and "Team".

Individual scopes enable access to functionality for an individual account, such as uploading and downloading files, creating folders, etc. They can be authorized by any kind of Dropbox account.

Team scopes enable access to functionality for entire Business teams, such as managing members, etc. They can only be authorized by team admins.

The error here is indicating that the app is requesting team scopes, but the user is not an admin and so cannot authorize that. If you want to allow non-admins to connect the app, you'll need to request only individual scopes.

If your app never needs to use team scopes, you can configure this by disabling the team scopes entirely from the app's Permissions settings (which are shown in your screenshot).

Alternatively, if your app does sometimes need to use team scopes, you can instead specify which scopes to request from a user on the fly by setting a particular set of scopes when constructing the authorization URL. That is, you can list the scopes to request in the 'scope' parameter on the /oauth2/authorize URL. (If you're using an SDK to process the flow, refer to the relevant SDK documentation for information on how to configure that.)

View solution in original post

Greg-DB · ‎01-12-2021

This error is about which scopes are being requested. For reference, scoped apps can use two main kinds of scopes: "Individual" and "Team".

Individual scopes enable access to functionality for an individual account, such as uploading and downloading files, creating folders, etc. They can be authorized by any kind of Dropbox account.

Team scopes enable access to functionality for entire Business teams, such as managing members, etc. They can only be authorized by team admins.

The error here is indicating that the app is requesting team scopes, but the user is not an admin and so cannot authorize that. If you want to allow non-admins to connect the app, you'll need to request only individual scopes.

If your app never needs to use team scopes, you can configure this by disabling the team scopes entirely from the app's Permissions settings (which are shown in your screenshot).

Alternatively, if your app does sometimes need to use team scopes, you can instead specify which scopes to request from a user on the fly by setting a particular set of scopes when constructing the authorization URL. That is, you can list the scopes to request in the 'scope' parameter on the /oauth2/authorize URL. (If you're using an SDK to process the flow, refer to the relevant SDK documentation for information on how to configure that.)

Tech Dev Oldsmar · ‎01-12-2021

Hello Greg:

Worked! The .NET SDK DBX App has Teams rights but I only request individual rights in the authorization URL scope directive:

https://www.dropbox.com/oauth2/authorize?client_id=MY_CLIENT_ID&redirect_uri=MY_REDIRECT_URI&respons...scope=account_info.write account_info.read files.metadata.write files.metadata.read files.content.write files.content.read

That allows a non-Team Admin to approve the app. When I need to actually use a Team feature (team_info.read team_data.member team_data.team_space files.team_metadata.write members.read groups.read) I create a teamClient.AsMember and everything seems to be fine. I tested it out to create a subfolder within a Team directory and no problem!

Thanks!

Anton

Tech Dev Oldsmar · ‎03-22-2023

This was really helpful - thank you for sharing the fix. Didn't run into this until deployment with non-admins. For anyone in the odd position of needing this for a Windows Forms application here is how I built the authorizeURI:

  // set the desired scopes
            var scopesList = new List<string>
            {
                "account_info.write",
                "account_info.read",
                "files.metadata.read",
                "files.metadata.write",
                "files.content.read",
                "files.content.write"
            };

            string[] scopes = scopesList.ToArray();
            var authorizeUri = DropboxOAuth2Helper.GetAuthorizeUri(OAuthResponseType.Code, 
                Properties.Settings.Default.appKey, 
                (string)null,
                tokenAccessType: TokenAccessType.Offline
                ,scopeList: scopes
                );
            Process.Start(authorizeUri.ToString());

Re: Forced to make all users Team Admins? "You must be a team administrator to authorize this

Forced to make all users Team Admins? "You must be a team administrator to authorize this app"