cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Want to learn some quick and useful tips to make your day easier? Check out how Calvin uses Replay to get feedback from other teams at Dropbox here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

No Refresh token is returned

No Refresh token is returned

Thomi
Explorer | Level 4
Go to solution

Hey,

 

I'm trying to figure out how the refresh token oauth2 process is working.

When I navigate to

https://www.dropbox.com/oauth2/authorize?client_id=<client_id>&token_access_type=offline&response_type=code

and grant premission I only get an oauth2 code but no refresh token. What am I doing wrong?

Do I have to enable something in the app center?

1 Accepted Solution

Accepted Solutions

TaylorKrusen
Dropbox Staff
Go to solution

When you swap that code for an access token(https://api.dropbox.com/oauth2/token), the resulting payload will contain an access_token and a refresh_token, which can be stored and used to issue a new access token later.

View solution in original post

10 Replies 10

TaylorKrusen
Dropbox Staff
Go to solution

Is this a newly created scoped app or an app that you're migrating? The OAuth Guide or blog post, Migrating App Permissions and Access Tokens, might be useful resources here.

In your app's settings there is an OAuth 2 section. Is the "Access token expiration" set to "Short-lived"? 

 

 

Thomi
Explorer | Level 4
Go to solution

Its a new scoped app and "Access token expiration" is set to "Short-lived".

TaylorKrusen
Dropbox Staff
Go to solution

When you swap that code for an access token(https://api.dropbox.com/oauth2/token), the resulting payload will contain an access_token and a refresh_token, which can be stored and used to issue a new access token later.

MarteIT
Explorer | Level 3
Go to solution

Hi! I have exactly the same problem. Can you please clarify what you mean by "swap"?

Where should I use the code (https://api.dropbox.com/oauth2/token)? curl? With any parameter/ID?

Can you please give me an easy procedure to follow, or an example? Thank you

Greg-DB
Dropbox Staff
Go to solution

@MarteIT By "swap", Taylor was referring to how the app sends the "authorization code" (which is received from the /oauth2/authorize OAuth step) in the request to the Dropbox /oauth2/token endpoint, and how the Dropbox API would send the access token and refresh token back in the response.

 

I recommend reading the OAuth Guide for an overview of how this process works. Then, refer to the authorization documentation for information on the specific endpoints and parameters to use, including examples of calling /oauth2/token using curl.

MarteIT
Explorer | Level 3
Go to solution

Hi Greg, thank you for your reply. I thought Taylor was referring to a somehow different procedure.

What you wrote was already clear to me and that's what I've been trying many times. The problem is that whenever I use the "authorization code" (which is received from the /oauth2/authorize OAuth step) and use it in the request to the Dropbox /oauth2/token endpoint, I get the following error:

{"error_description": "refresh token is malformed", "error": "invalid_grant"}

I'm just using the following command:

curl https://api.dropbox.com/oauth2/token -d grant_type=refresh_token -d refresh_token=["authorization code"] -u [xxxxxx]:[yyyyyyy]

Where am I wrong?

Greg-DB
Dropbox Staff
Go to solution

@MarteIT To exchange or "swap" the authorization code for an access token and refresh token you should use "grant_type=authorization_code", as shown in the "access token request in code flow" example (or "PKCE code flow token request" example, if using PKCE) in the /oauth2/token documentation.

 

Using "grant_type=refresh_token" is for when you would later use a refresh token to get a new short-lived access token.

MarteIT
Explorer | Level 3
Go to solution

Oh alright! I didn't get that. Honestly I find the documentation really misleading:

Example: refresh token request

curl https://api.dropbox.com/oauth2/token \
    -d grant_type=refresh_token \
    -d refresh_token=<REFRESH_TOKEN> \
    -u <APP_KEY>:<APP_SECRET>

Anyway, now I used:

curl https://api.dropbox.com/oauth2/token -d code=[auth code] -d grant_type=authorization_code -d redirec...https://www.dropbox.com/1/oauth2/display_token -u [xxxxxx]:[yyyyyy]

and I got this error:

{"error_description": "redirect_uri mismatch", "error": "invalid_grant"}

 

I set the Redirect URIs --https://www.dropbox.com/1/oauth2/display_token--

as indicated in some of your previous replies. Still can't get it work. Any suggestion? Thank you.

Greg-DB
Dropbox Staff
Go to solution

@MarteIT The 'redirect_uri' value you supply to /oauth2/token, if any, should exactly match the 'redirect_uri' value supplied to /oauth2/authorize, if any, when that particular authorization code was retrieved. If they don't match, you'll get this error.

 

The https://www.dropbox.com/1/oauth2/display_token  page is a basic page provided by Dropbox for use with the "token" flow (if the app doesn't have its own redirect URI to use and so instead needs to display the access token directly to the user), not the "code" flow as you're using here, so it probably doesn't make sense for your use case.

Need more support?
Who's talking

Top contributors to this post

  • User avatar
    MarteIT Explorer | Level 3
  • User avatar
    Greg-DB Dropbox Staff
What do Dropbox user levels mean?