cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Want to learn some quick and useful tips to make your day easier? Check out how Calvin uses Replay to get feedback from other teams at Dropbox here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Re: Long time registered app not allowing Oauth authentication.

Long time registered app not allowing Oauth authentication.

Daniel G.70
Explorer | Level 4
Go to solution

Anyone know why all of a sudden a dropbox registered app that's been working fine for years would suddenly show

{"error": "invalid_scope", "error_description": "Non-scoped apps cannot specify token scopes"}

When attempting to use an oauth refresh token like so.

POST https://api.dropbox.com/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: api.dropbox.com
Content-Length: 363
Expect: 100-continue

refresh_token=<VALIDTOKEN>&grant_type=refresh_token&client_id=<VALIDCLIENTID>&client_secret=<VALIDSECRET>&scope=account_info.write+account_info.read+files.metadata.write+files.metadata.read+files.content.write+files.content.read+sharing.write+sharing.read+file_requests.write+file_requests.read+contacts.write

I'm guessing I need to do something to the registration of the app. That some new requirement is needed, but I'm not sure what.

1 Accepted Solution

Accepted Solutions

Greg-DB
Dropbox Staff
Go to solution

[Cross-linking for reference: https://stackoverflow.com/questions/75738278/non-scoped-apps-cannot-specify-token-scopes-when-using-... ]

 

From your description, it sounds like you have a legacy non-scoped app from before we switched to registering new apps as scoped apps.

 

We recently fixed a bug where the API would allow non-scoped apps to specify scopes using the 'scope' parameter when calling /oauth2/token with 'grant_type=refresh_token'. Scopes don't apply to non-scoped apps so this is supposed to be rejected with the error you're seeing.

 

To correct this, you should either:

  1. not provide the 'scope' parameter when calling /oauth2/token for the non-scoped app, or
  2. migrate your non-scoped app to use scopes, which you can do using the "Permissions" tab of the app's page on the App Console.

Option b would be preferred. You can find more information on the migration here.

View solution in original post

6 Replies 6

Greg-DB
Dropbox Staff
Go to solution

[Cross-linking for reference: https://stackoverflow.com/questions/75738278/non-scoped-apps-cannot-specify-token-scopes-when-using-... ]

 

From your description, it sounds like you have a legacy non-scoped app from before we switched to registering new apps as scoped apps.

 

We recently fixed a bug where the API would allow non-scoped apps to specify scopes using the 'scope' parameter when calling /oauth2/token with 'grant_type=refresh_token'. Scopes don't apply to non-scoped apps so this is supposed to be rejected with the error you're seeing.

 

To correct this, you should either:

  1. not provide the 'scope' parameter when calling /oauth2/token for the non-scoped app, or
  2. migrate your non-scoped app to use scopes, which you can do using the "Permissions" tab of the app's page on the App Console.

Option b would be preferred. You can find more information on the migration here.

Daniel G.70
Explorer | Level 4
Go to solution

Excellent. I will look into this. Thankyou!

Здравко
Legendary | Level 20
Go to solution

Hi @Daniel G.70,

As can be seen from the error message, you're trying scopes on no scoped application! 🙋 Why? 🤔 Try to remove the last part (representing the scopes) from the request payload. Or register a new scoped application and start anew.

Hope this helps.

Greg-DB
Dropbox Staff
Go to solution

@Daniel G.70 Also, to expand on Здравко's comment, while new apps are registered as scoped apps now, you do not need to register a new app. You can and should migrate any existing non-scoped apps to use scopes.

 

And additionally, while I mentioned that you only need to do either option a or b in my post, you can technically do both. The 'scope' parameter on /oauth2/token is optional for both scoped and non-scoped apps; it is only needed if/when you want to get an access token with a specific subset of the scopes authorized to the given refresh token when calling with 'grant_type=refresh_token'.

Здравко
Legendary | Level 20
Go to solution

@Greg-DB wrote:

...; it is only needed if/when you want to get an access token with a specific subset of the scopes authorized to the given refresh token when calling with 'grant_type=refresh_token'.


... and also if you want to restrict scopes available to the refresh token as a subset of all scopes available to the application when initiate OAuth flow. If you don't need restricting any scopes and you have set all properly to the application and no need different instances with different scopes, better skip 'scope' usage at all.

Daniel G.70
Explorer | Level 4
Go to solution

This was indeed exactly the issue. We never did migrate to a scoped app. And we do specify scopes on the wire.

 

That was the source of the issue and the fixes you propose did work. Thankyou!

Need more support?