cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Back again with another edition of 'How we use Dropbox', so find out how Emma uses to-do lists to get it all done here!

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

OAuth 2.0 for native apps

OAuth 2.0 for native apps

aston
Explorer | Level 4

Hi,

How a native app (a desktop application) can implement and use the Authorization flow without having to know/use the app's secret?

Quoting from here:

"The current industry best practice is to use the Authorization Flow while omitting the client secret, and to use an external user agent to complete the flow."

The browser of the system can be this "external user agent", but all the examples that I could find for the Java SDK (as this one) need the app-info file with the secret populated in order to work. I have tried having the secret empty or null but the authorization fails at the end with the following error:

Error in DbxWebAuth.authorize: {"error": "invalid_client: Invalid client_id or client_secret"}

 

Is implicit grant the only way to go?

1 Accepted Solution

Accepted Solutions

Re: OAuth 2.0 for native apps

Greg-DB
Dropboxer

Yes, for client-side apps, you should use the "implicit" a.k.a. "token" flow. This is the version of the Dropbox OAuth app authorization flow that does not require use of the app secret.

The DbxWebAuth class in the official Dropbox API v2 Java SDK is only built for web apps though, and does not support the implicit flow. I'll pass this along as a feature request, but I can't promise if or when that might be implemented though.

There is a special flow built for Android though, in case you're running on Android. Otherwise, you'll need to implement the implicit flow directly.

View solution in original post

2 Replies 2

Re: OAuth 2.0 for native apps

Greg-DB
Dropboxer

Yes, for client-side apps, you should use the "implicit" a.k.a. "token" flow. This is the version of the Dropbox OAuth app authorization flow that does not require use of the app secret.

The DbxWebAuth class in the official Dropbox API v2 Java SDK is only built for web apps though, and does not support the implicit flow. I'll pass this along as a feature request, but I can't promise if or when that might be implemented though.

There is a special flow built for Android though, in case you're running on Android. Otherwise, you'll need to implement the implicit flow directly.

View solution in original post

Re: OAuth 2.0 for native apps

aston
Explorer | Level 4

Thank you for the response.

I asked the question for implementation plans in the Java SDK GitHub repo.

Poll
We love to learn from the educators who use Dropbox. Whether you teach kids, teens, adults or a combination of all three, we want to know what apps and integrations you use with Dropbox to help with teaching. Which of the ones below is your favorite, or most used tool?
Who's talking

Top contributors to this post

  • User avatar
    aston Explorer | Level 4
  • User avatar
    Greg-DB Dropboxer
What do Dropbox user levels mean?
Need more support?