Re: I'm struggleing to download a single file from the API

novaut · ‎11-09-2022

Hello there,

I'm struggleing to download a single file from the API.

I'm supplying the app key and secret for App Authentication but I'm getting this error:

Error in call to API function "files/download": Invalid authorization value in HTTP header "Authorization": "Basic YWFhYWFhYWFhYWFhYWFhOmJiYmJiYmJiYmJiYmJiYg==". Expecting "Bearer <oauth2-access-token>".

I'm following the App Authentication example from https://www.dropbox.com/developers/reference/auth-types#app

Why it doesn't work? I just want to use the API in a simple way.

Thanks and all the best 🙂

Здравко · ‎11-10-2022

@novaut wrote:
...
One question for how long refresh_token is alive? Is it long-lived?
...

Hi @novaut,

Yes, it's long lived token. The refresh token remains valid till explicit revoke either from application itself or user that granted access for your application to its data.

@novaut wrote:
...
I successfully got the file from Dropbox using the refresh_token and it doesn't ask for http authentication 🙂
...

You make me doubt you have understand everything correctly. You can download a file only with access token authentication, not directly with refresh token!!! The refresh token helps you keep receiving valid access token without further user actions. 😉 Hope this was just a confusion while typing.

Good luck.

View solution in original post

Здравко · ‎11-09-2022

@novaut wrote:
...
I'm following the App Authentication example from https://www.dropbox.com/developers/reference/auth-types#app

Why it doesn't work? I just want to use the API in a simple way.
...

Hi @novaut,

Wow, wow, wow... 😁 I haven't seen this big fault of Dropbox documentation. You can call some API endpoints with application authorization only when public data are handled (i.e. data for links etc). The examples shown there are completely wrong! Application authorization is designated for application confirmation (no some user authentication), that's why you can NOT access any user data in such a way. As noted in your error message for such thing bearer access token is needed (something showing that the particular user grant access to its data) - something you miss. That's why it doesn't work.

🙂 Another stupid thing is statement:

... This can be done either as separate strings, as shown in the first two examples below, or as an base64-encoded Basic authorization string in the Authorization header ...

The Basic authentication is ALWAYS performed with base64 encoding!!! You can do it explicitly or let curl does it internally. The person typing this documentation needs some tutorials...

Anyway... since you need user access, you need user authentication too. 😉 You need least access token (as noted there). Keep in mind that such a token is short lived. It's enough for single time use or use in relatively short period of time. If you need to gain access for longer period (without automatic expiration), than refresh token is needed too. You can take a look here how you can manage this.

Hope this helps.

novaut · ‎11-09-2022

Hi @Здравко,

Thanks for helping me.

I need to find an easy way to get the file from my Dropbox account.

I have API key, API Secret and I can't get the Authorization Code to get the Bearer Token because it asks me to login with my Dropbox username and password.

How can I do it with a request from my server?

It's complex to understand.

Thanks again 🙂

Здравко · ‎11-09-2022

@novaut wrote:
... it asks me to login with my Dropbox username and password.
How can I do it with a request from my server?
...

Hm... 🤔 Sometime ago was an option to generate long lived access token for long term access. Unfortunately, since long lived access token is retired already, no way to generate credentials for long term access in such a way (not yet at least). That's why you need to login once (at least) to create your credentials (such login doesn't need to be on the server - you can do it anywhere) and after that you can use available credentials on your server without logging in anymore (the refresh token keeps your granting). 😉 That's it.

novaut · ‎11-09-2022

Hi @Здравко,

I have generated credentials once as authorization_code and bearer_token but it expires.

I tried to refresh the authorization_code and got "error_description": "code does not exist or expired".

Can you confirm if this information still alive? "refresh_token String? A unique, long-lived token that can be used to request new short-lived access tokens without direct interaction from a user in your app."

Do I have to refresh the authorization_code every 3 hours to keep it long-lived?

Thanks again 🙂

Здравко · ‎11-09-2022

@novaut wrote:
...
I have generated credentials once as authorization_code and bearer_token but it expires.
...

Yes, that exactly what I said!!!

Seems you haven't read my posts before (my post before the last my post too). Read them with care! Code is for one time use - it can't be reused.

PS: The code is NOT part of your credentials!

Greg-DB · ‎11-09-2022

@novaut To download a file, it is correct to use the /2/files/download endpoint. You can find the information for using that endpoint in the documentation for /2/files/download here. As shown there, that endpoint supports "User Authentication", but not "App Authentication". There's also an curl example for that endpoint in endpoint documentation.

For reference, the "Authentication types" page lists different types that are used by different endpoints of the Dropbox API, but not every endpoint supports every type. The examples under each type show some example(s) of an endpoint which do support that type. For instance, the examples under "App Authentication" show the use of /2/files/get_thumbnail_v2, which does support App Authentication, but not /2/files/download.

So, to call /2/files/download, you need to use "User Authentication", which requires the an OAuth 2 access token as a "Bearer" token. It's not possible to successfully call /2/files/download using an app key/secret as "Basic" authorization.

And as Здравко noted, you need to authorize the app manually once, after which you can use the (short-lived) access token and refresh token. The "authorization code" can only be used once, in the process of retrieving the access token and refresh token. The refresh token doesn't expire automatically though, and can be re-used repeatedly without manual intervention to retrieve new short-lived access tokens whenever needed. You can find more information in the OAuth Guide and authorization documentation. There's a basic outline of processing this flow in this blog post which may serve as a useful example.

Здравко · ‎11-09-2022

@Greg-DB wrote:
... For instance, the examples under "App Authentication" show the use of /2/files/get_thumbnail_v2, which does support App Authentication, ...

🤔 Hm.. really... let's see this ' for instance':

curl -X POST "https://content.dropboxapi.com/2/files/get_thumbnail_v2" -u "<APP_KEY>:<APP_SECRET>" \
  --header "Dropbox-API-Arg: {\"resource\": {\".tag\": \"path\",\"path\": \"/a.docx\"},\"format\": \"jpeg\",\"size\": \"w64h64\",\"mode\": \"strict\"}"

curl -X POST "https://<APP_KEY>:<APP_SECRET>@content.dropboxapi.com/2/files/get_thumbnail_v2" \
  --header "Dropbox-API-Arg: {\"resource\": {\".tag\": \"path\",\"path\": \"/a.docx\"},\"format\": \"jpeg\",\"size\": \"w64h64\",\"mode\": \"strict\"}"

curl -X POST "https://content.dropboxapi.com/2/files/get_thumbnail_v2" \
  --header "Authorization: Basic <base64(APP_KEY:APP_SECRET)>" \
  --header "Dropbox-API-Arg: {\"resource\": {\".tag\": \"path\",\"path\": \"/a.docx\"},\"format\": \"jpeg\",\"size\": \"w64h64\",\"mode\": \"strict\"}"

Which one is correct? 🧐 If any...

... Where is the error? 🙋

Greg-DB · ‎11-09-2022

@Здравко Those three examples show three different ways of supplying the app key and secret to curl. I seems you're hinting that the calls overall don't make sense otherwise though as the use of the "path" in the sample parameters won't work for app authentication in particular. I'll ask the team to fix that up.

novaut · ‎11-10-2022

Hi @Здравко,

I understood how it works.

One question for how long refresh_token is alive? Is it long-lived?

I successfully got the file from Dropbox using the refresh_token and it doesn't ask for http authentication 🙂

Thank you so much for your help 🙂