cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Want to learn some quick and useful tips to make your day easier? Check out how Calvin uses Replay to get feedback from other teams at Dropbox here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Re: Issue Generating Refresh Token with OAuth Code Flow

Issue Generating Refresh Token with OAuth Code Flow

ImpulseWebDev
Explorer | Level 3
Go to solution

Hello, I have been struggling a bit with getting a refresh token or any success response at all from the endpoint 'https://api.dropboxapi.com/oauth2/token' when following the guide here https://developers.dropbox.com/oauth-guide.

While the docs show all curl requests, I am attempting to make my request currently from postman, but in the end I would like to do this via a standard fetch request if possible.

However, when making requests to the endpoint above, I always am returned the response

{
    "error": "invalid_request",
    "error_description": "The request parameters do not match any of the supported authorization flows. Please refer to the API documentation for the correct parameters."
}

Here is one example of my request:

   var details = {
    'code': 'REDACTED',
    'grant_type': 'authorization_code',
    'REDACTED': 'REDACTED'
  };

  var formBody = [];
  for (var property in details) {
    var encodedKey = encodeURIComponent(property);
    var encodedValue = encodeURIComponent(details[property]);
    formBody.push(encodedKey + "=" + encodedValue);
  }
  formBody = formBody.join("&");

  fetch('https://api.dropboxapi.com/oauth2/token', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/x-www-form-urlencoded;charset=UTF-8'
    },
    body: formBody
  }).then(function(response) { 
    return response.json()
  }).then(function(data) {   
    console.log(data);
  })


Here is my postman version
Screenshot (187).pngScreenshot (186).png

For the sections covered in red or 'REDACTED':
The code I am getting via this URL https://www.dropbox.com/oauth2/authorize?client_id=REDACTED&response_type=code&token_access_type=off...

The lowest section is my app key and app secret (in that order).

Is it possible to make this POST request to this endpoint in the way I am trying?

If so, is it possible to see an example somewhere in the docs that is not a curl request? // or point me in the direction of what I am not doing correctly by chance?

Edit: I should also note that this account has purchased 'Teams'.
Thanks in advance!

1 Accepted Solution

Accepted Solutions

Greg-DB
Dropbox Staff
Go to solution

Given your redactions and descriptions, it seems like you're sending a parameter with the name being your app key and the value being your app secret, however that is not the correct formatting. When calling /oauth2/token to exchange the authorization code for an access token/refresh token with the code flow like this, you should send a parameter named "client_id" with the value being your app key, and a parameter named "client_secret" with the value being your app secret. You would do that the same way you already have a parameter named "code" with the value being the authorization code string.

 

(Note that it's also possible to send the app key and secret as "Basic" authorization, which is what the example in the documentation does using the "-u" curl flag, but that would be encoded and formatted differently. I recommend just using the parameters as described above for simplicity.)

View solution in original post

5 Replies 5

Здравко
Legendary | Level 20
Go to solution

@ImpulseWebDev wrote:

...
The lowest section is my app key and app secret (in that order).

Is it possible to make this POST request to this endpoint in the way I am trying?
...


Hi @ImpulseWebDev,

No, It's not! Where you read that you need to post parameter carrying name equal to your app key?

Next the curl examples, there are lists of possible parameters! You have to choose something from there. Possible parameters for passing app key and secret are client_id and client_secret. Alternative way is passing them in form "<client_id value>:<client_secret value>" as base authentication.

Hope this gives direction.

Greg-DB
Dropbox Staff
Go to solution

Given your redactions and descriptions, it seems like you're sending a parameter with the name being your app key and the value being your app secret, however that is not the correct formatting. When calling /oauth2/token to exchange the authorization code for an access token/refresh token with the code flow like this, you should send a parameter named "client_id" with the value being your app key, and a parameter named "client_secret" with the value being your app secret. You would do that the same way you already have a parameter named "code" with the value being the authorization code string.

 

(Note that it's also possible to send the app key and secret as "Basic" authorization, which is what the example in the documentation does using the "-u" curl flag, but that would be encoded and formatted differently. I recommend just using the parameters as described above for simplicity.)

ImpulseWebDev
Explorer | Level 3
Go to solution

Hello Greg, first thank you again for the response - that does indeed change my error response however I think I am just a bit off still from your explanation. It sounds like I should remove my app key : app secret and replace it with the two values you stated.

I have gone back to my app console to verify both values are accurate, any idea why it would say one is potentially invalid?

Screenshot (188).png

ImpulseWebDev
Explorer | Level 3
Go to solution

Hello and thanks for the reply.

My apologies, I am not very familiar with Curl request syntax, however I was attempting to reproduce the example from the dropbox endpoint docs here:

curl https://api.dropbox.com/oauth2/token \     -d code=<AUTHORIZATION_CODE> \     -d grant_type=authorization_code \     -d redirect_uri=<REDIRECT_URI> \     -u <APP_KEY>:<APP_SECRET>

The last portion '<APP_KEY>:<APP_SECRET>' was why I attempted that method. I have since updated to use the two params suggested, however any idea what would trigger this response? I did return to my app console to verify both key and secret are up to date
Screenshot (188).png

ImpulseWebDev
Explorer | Level 3
Go to solution

Final reply: The params suggested do work in my non-postman fetch request and return the success response outlined in the docs. That gets me through- Thank you again!

Need more support?