cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Want to learn some quick and useful tips to make your day easier? Check out how Calvin uses Replay to get feedback from other teams at Dropbox here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Oauth2 refresh token question - what happens when the refresh token expires?

Oauth2 refresh token question - what happens when the refresh token expires?

FrustratedUser3
Collaborator | Level 8
Go to solution

I've been testing the Dropbox OAuth2 endpoints for a few days and I have read the documentation provided directly by Dropbox. However, it is not clear to me how I'm supposed to handle the acquisition of a new refresh token after the first one has been used. The documentation, diagrams, and code samples do not mention this use case as far as I have seen.

 

In short, I can use one of the available authentication schemes (implicit, PKCE, etc.) to get a token and a refresh token, but then what? I have a Python client running in my environment that needs to connect 24/7, which currently works with long-term tokens, but how do I avoid needing to constantly click 'Allow' when I need to refresh the token? The only way I've been able to reconnect is to send the user back to the browser to get a code. What is supposed to happen when a refresh token expires and how do I deal with it using the implicit and PKCE flows?

 

In most of the other APIs I've used, asking for a new token returns yet another refresh token, which can be done repeatedly without limitation and that's what I need to do in this case as well. I want my users to authorize the app one time and then never need to do so again; that's the end goal.

1 Accepted Solution

Accepted Solutions

Greg-DB
Dropbox Staff
Go to solution

While Dropbox "short-lived access tokens" do expire automatically, "refresh tokens" do not. When your app gets a refresh token, it can use that to continuously get new short-lived access tokens whenever needed, without further manual user intervention. (The Python SDK actually does that for you automatically.)

 

So, since Dropbox refresh tokens do not expire automatically they can and should be re-used repeatedly. The app will not receive a new refresh token every time it requests a new short-lived access token. It should just store and continue re-using the same one.

 

They can be revoked manually though, either by the user (e.g., via https://www.dropbox.com/account/connected_apps ) or the app, at which point the app would need to prompt the user to re-authorize the app if they wish to use it again.

View solution in original post

10 Replies 10

Greg-DB
Dropbox Staff
Go to solution

While Dropbox "short-lived access tokens" do expire automatically, "refresh tokens" do not. When your app gets a refresh token, it can use that to continuously get new short-lived access tokens whenever needed, without further manual user intervention. (The Python SDK actually does that for you automatically.)

 

So, since Dropbox refresh tokens do not expire automatically they can and should be re-used repeatedly. The app will not receive a new refresh token every time it requests a new short-lived access token. It should just store and continue re-using the same one.

 

They can be revoked manually though, either by the user (e.g., via https://www.dropbox.com/account/connected_apps ) or the app, at which point the app would need to prompt the user to re-authorize the app if they wish to use it again.

FrustratedUser3
Collaborator | Level 8
Go to solution

Thanks for the response. Just to be sure I'm understanding:

  • I need to store the refresh token from the original authentication call.
  • When the access token expires, the original refresh token can be used to generate a new access token.

Is that correct? Also, what happens if you lose the refresh token? It doesn't make a lot of sense to force the user to authenticate via URL a second time, but that's the only way I know how to get a new access token without a refresh token using any of the flows. Am I missing something or is that right?

Greg-DB
Dropbox Staff
Go to solution

Yes, that's correct.

 

And yes, a refresh token is needed to programmatically retrieve more short-lived access tokens, so if you lose the refresh token you'd need to send the user through the authorization flow again to get a new one.

FrustratedUser3
Collaborator | Level 8
Go to solution

Got it. Thanks. Do you happen to know where I can read about this in the documentation? I can't find the information you're explaining and I'm not sure how the SDK stores the token or if it's safe. Does it put the token in a plaintext file on the disk somewhere?

Greg-DB
Dropbox Staff
Go to solution

You can find information on the Dropbox OAuth flow in general in the OAuth Guide and the authorization documentation. The documentation for the OAuth functionality in the Python SDK in particular can be found here

 

The Python SDK does not handle the local persistence of access tokens or refresh tokens for you. Local data persistence needs to be handled by the app.

FrustratedUser3
Collaborator | Level 8
Go to solution

The documentation really should address these issues. It is not obvious how the refresh mechanism works and a few sentences would prevent a lot of confusion. The code example could use a comment as well for the same reason.

 

"Refresh tokens can be used multiple times to create new tokens." More explanation would be much better, but even something as simple as that would have saved several hours of my time. This detail is not explained anywhere in the documentation and it's not an obvious piece of information considering many oauth refresh token implementations do not work the same way.

Greg-DB
Dropbox Staff
Go to solution

Thanks for the feedback! I'll ask the team to clarify this in the documentation. 

FrustratedUser3
Collaborator | Level 8
Go to solution

It looks like some of the documentation has been updated, but I didn't see anything in the Oauth guide, which would be the best place to explain the process. I've been asked a few times about how to fix this in code and the solution is really straight forward to explain via the code itself.

 

Go here to see a PKCE authorization example script, which has the following code:

 

#!/usr/bin/env python3

import dropbox
from dropbox import DropboxOAuth2FlowNoRedirect

'''
Populate your app key in order to run this locally
'''
APP_KEY = ""

auth_flow = DropboxOAuth2FlowNoRedirect(APP_KEY, use_pkce=True, token_access_type='offline')

authorize_url = auth_flow.start()
print("1. Go to: " + authorize_url)
print("2. Click \"Allow\" (you might have to log in first).")
print("3. Copy the authorization code.")
auth_code = input("Enter the authorization code here: ").strip()

try:
    oauth_result = auth_flow.finish(auth_code)
except Exception as e:
    print('Error: %s' % (e,))
    exit(1)

with dropbox.Dropbox(oauth2_refresh_token=oauth_result.refresh_token, app_key=APP_KEY) as dbx:
    dbx.users_get_current_account()
    print("Successfully set up client!")

 

 

 Now, all you need to do is this:

 

# View the details of the oauth result
print(f'Access Token  = {oauth_result.access_token}')
print(f'Account ID    = {oauth_result.account_id}')
print(f'Refresh Token = {oauth_result.refresh_token}')
print(f'Expiration    = {oauth_result.expiration}')
print(f'Scope         = {oauth_result.scope}')

# Store this to use over and over whenever an access token expires
save_somewhere(oauth_result.refresh_token)

 

 

The SDK will automatically request new access tokens as long as you supply the refresh token. Other scripts can use the refresh token as well, e.g.:

 

import dropbox

APP_KEY = '<your app key>'
refresh_token = get_refresh_token_from_wherever_you_put_it()

with dropbox.Dropbox(oauth2_refresh_token=oauth_result.refresh_token, app_key=APP_KEY) as dbx:
    dbx.users_get_current_account()
    print("Successfully set up client!")

 

 

Zachjaryw
New member | Level 2
Go to solution

Hello there. I understand that the refresh tokens are needed in order to continuously use the app without expiration. I do not understand where to find this refresh token. can someone help? thank you

Need more support?
Who's talking

Top contributors to this post

  • User avatar
    Здравко Legendary | Level 20
  • User avatar
    Zachjaryw New member | Level 2
  • User avatar
    FrustratedUser3 Collaborator | Level 8
  • User avatar
    Greg-DB Dropbox Staff
What do Dropbox user levels mean?