cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Want to learn some quick and useful tips to make your day easier? Check out how Calvin uses Replay to get feedback from other teams at Dropbox here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Re: OAuth 2.0 for native apps

OAuth 2.0 for native apps

aston
Explorer | Level 4
Go to solution

Hi,

How a native app (a desktop application) can implement and use the Authorization flow without having to know/use the app's secret?

Quoting from here:

"The current industry best practice is to use the Authorization Flow while omitting the client secret, and to use an external user agent to complete the flow."

The browser of the system can be this "external user agent", but all the examples that I could find for the Java SDK (as this one) need the app-info file with the secret populated in order to work. I have tried having the secret empty or null but the authorization fails at the end with the following error:

Error in DbxWebAuth.authorize: {"error": "invalid_client: Invalid client_id or client_secret"}

 

Is implicit grant the only way to go?

1 Accepted Solution

Accepted Solutions

Greg-DB
Dropbox Staff
Go to solution

Yes, for client-side apps, you should use the "implicit" a.k.a. "token" flow. This is the version of the Dropbox OAuth app authorization flow that does not require use of the app secret.

The DbxWebAuth class in the official Dropbox API v2 Java SDK is only built for web apps though, and does not support the implicit flow. I'll pass this along as a feature request, but I can't promise if or when that might be implemented though.

There is a special flow built for Android though, in case you're running on Android. Otherwise, you'll need to implement the implicit flow directly.

View solution in original post

2 Replies 2

Greg-DB
Dropbox Staff
Go to solution

Yes, for client-side apps, you should use the "implicit" a.k.a. "token" flow. This is the version of the Dropbox OAuth app authorization flow that does not require use of the app secret.

The DbxWebAuth class in the official Dropbox API v2 Java SDK is only built for web apps though, and does not support the implicit flow. I'll pass this along as a feature request, but I can't promise if or when that might be implemented though.

There is a special flow built for Android though, in case you're running on Android. Otherwise, you'll need to implement the implicit flow directly.

aston
Explorer | Level 4
Go to solution

Thank you for the response.

I asked the question for implementation plans in the Java SDK GitHub repo.

Need more support?