cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Are you new to Dropbox? Our Newcomers group is the perfect place to learn the basics, find out more here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

OAuth 2.0 for native apps

OAuth 2.0 for native apps

aston
Explorer | Level 4
Go to solution

Hi,

How a native app (a desktop application) can implement and use the Authorization flow without having to know/use the app's secret?

Quoting from here:

"The current industry best practice is to use the Authorization Flow while omitting the client secret, and to use an external user agent to complete the flow."

The browser of the system can be this "external user agent", but all the examples that I could find for the Java SDK (as this one) need the app-info file with the secret populated in order to work. I have tried having the secret empty or null but the authorization fails at the end with the following error:

Error in DbxWebAuth.authorize: {"error": "invalid_client: Invalid client_id or client_secret"}

 

Is implicit grant the only way to go?

1 Accepted Solution

Accepted Solutions

Greg-DB
Dropbox Staff
Go to solution

Yes, for client-side apps, you should use the "implicit" a.k.a. "token" flow. This is the version of the Dropbox OAuth app authorization flow that does not require use of the app secret.

The DbxWebAuth class in the official Dropbox API v2 Java SDK is only built for web apps though, and does not support the implicit flow. I'll pass this along as a feature request, but I can't promise if or when that might be implemented though.

There is a special flow built for Android though, in case you're running on Android. Otherwise, you'll need to implement the implicit flow directly.

View solution in original post

2 Replies 2

Greg-DB
Dropbox Staff
Go to solution

Yes, for client-side apps, you should use the "implicit" a.k.a. "token" flow. This is the version of the Dropbox OAuth app authorization flow that does not require use of the app secret.

The DbxWebAuth class in the official Dropbox API v2 Java SDK is only built for web apps though, and does not support the implicit flow. I'll pass this along as a feature request, but I can't promise if or when that might be implemented though.

There is a special flow built for Android though, in case you're running on Android. Otherwise, you'll need to implement the implicit flow directly.

aston
Explorer | Level 4
Go to solution

Thank you for the response.

I asked the question for implementation plans in the Java SDK GitHub repo.

Need more support?
Who's talking

Top contributors to this post

  • User avatar
    aston Explorer | Level 4
  • User avatar
    Greg-DB Dropbox Staff
What do Dropbox user levels mean?