cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
If you’ve changed your email address, now's the perfect time to update it on your Dropbox account and we’re here to help! Learn more here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Invalid OAuth token handling

Invalid OAuth token handling

Zoë
Explorer | Level 3
Go to solution

I'm writing directly against the v2 HTTP API and while testing our login and error handling, I found some unexpected results.  If I take a valid OAuth token and corrupt it (change the first character, for example), or just give it a garbage string (say, "abc") the response is either 500 Internal Server Error or 400 "The given OAuth2 access token is malformed".  I'm seeing it in both user authentication APIs (/files/list_folder) using OAuth2 credentials and in /auth/token/from_oauth1 if I corrupt the OAuth1 credentials.  While I suppose they are invalid inputs, I would have expected a 401 Authentication error for either case to tell me that I need to reauthenticate the user.

1 Accepted Solution

Accepted Solutions

Greg-DB
Dropbox Staff
Go to solution
Thanks for the feedback! The 400 error here with the plain text error message is more meant for the developer during development of the app. Generally, your app should be written such that a malformed access token like that wouldn't be able to make it into your released app, but you can catch the 400 and display the error to the user if you want.

View solution in original post

3 Replies 3

Greg-DB
Dropbox Staff
Go to solution

Thanks for the report! The 500 response to an invalid access token would just be a bug on our side. We'll look into it

 

The 400 is expected if the supplied string doesn't match the expected pattern for an access token, for example when supplying "abc" as mentioned. You can check the response body for an error message:

 

Error in call to API function "users/get_current_account": The given OAuth 2 access token is malformed.

 

You will get a 401 on further calls for a revoked token, for example, if it was a real token revoked via /2/auth/token/revoke:

 

{"error_summary": "invalid_access_token/...", "error": {".tag": "invalid_access_token"}}

Zoë
Explorer | Level 3
Go to solution

Yes, the 400 response does say that the OAuth2 access token is malformed, but that only helps if someone looks at a log.  In code I can detect 401 errors or from_oauth1's 409 "invalid_oauth1_token_info" error, clear the access token, and automatically ask the user to re-authenticate, but if it's just a generic 400 there's no way for me to do that.  

Greg-DB
Dropbox Staff
Go to solution
Thanks for the feedback! The 400 error here with the plain text error message is more meant for the developer during development of the app. Generally, your app should be written such that a malformed access token like that wouldn't be able to make it into your released app, but you can catch the 400 and display the error to the user if you want.
Need more support?
Who's talking

Top contributors to this post

  • User avatar
    Greg-DB Dropbox Staff
  • User avatar
    Zoë Explorer | Level 3
What do Dropbox user levels mean?