According to the OAuth2 Authorization documentation , the `scope` is a nullable String:
scope String? This parameter allows your user to authorize a subset of the scopes selected in the App Console. Multiple scopes are separated by a space. If this parameter is omitted, the authorization page will request all scopes selected on the Permissions tab. Read about scopes in the OAuth Guide.
This matches RFC6749 section 3.3 which states:
If the client omits the scope parameter when requesting authorization, the authorization server MUST either process the request using a pre-defined default value or fail the request indicating an invalid scope. The authorization server SHOULD document its scope requirements and default value (if defined).
However, the Dropbox API treats the nullable state incorrectly:
Section 3.1 of the RFC states:
Parameters sent without a value MUST be treated as if they were omitted from the request. The authorization server MUST ignore unrecognized request parameters. Request and response parameters MUST NOT be included more than once.
It seems that the Dropbox authorization endpoint is mis-treating the value, causing the 400 error. Per the specification, a parameter with an empty value MUST be treated in the same way as an omitted parameter.
Solved! Go to Solution.
The way we work is changing. Share and discover new ways to work smarter with Dropbox in our community.Sound good? Let's get started.
For more info on available support options, see this article.
If you found the answer to your question, please 'like' the post to say thanks to the user!