cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Share your feedback on the Document Scanning Experience in the Dropbox App right here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Re: Qt OAuth get refresh token

Qt OAuth get refresh token

sarahModulo
Explorer | Level 3
Go to solution

Hi,

 

I try to get my refresh token after going throw the basic authentification flow with PKCE.

Here my code :

connect(m_auth, &QAbstractOAuth2::authorizationCallbackReceived,[=](const QVariantMap data){
  if (false == data.isEmpty())
  {
     QString authCode = data.value("code").toString();
     if(!authCode.isEmpty())
     {
        qDebug() << authCode; //GOT an authentification Code
        QVariantMap parameters;
        parameters.insert("code", authCode);
        parameters.insert("grant_type","authorizatioon_code");
        parameters.insert("client_id",apiKey);
        parameters.insert("client_secret",apiSecret);

        QNetworkReply *reply = m_auth->post("https://api.dropboxapi.com/oauth2/token",parameters);
        connect(reply, &QNetworkReply::finished,this,&MyClass::getRefreshToken);
     }
  }
});

void MyClass::getRefreshToken()
{
    auto reply = qobject_cast<QNetworkReply*>(sender());
    Q_ASSERT(reply);

    const auto data = reply->readAll();
    qDebug() << "data " << data;
}

 

I got this error :

"{\"error\": \"invalid_request\", \"error_description\": \"Can't use \\\"Authorization\\\" header and \\\"client_secret\\\" arg together.\"}"

1 Accepted Solution

Accepted Solutions

Greg-DB
Dropbox Staff
Go to solution

Please note that when calling /oauth2/token, you should not include an access token. The /oauth2/token endpoint can be used to exchange an authorization code for an access token and optional refresh token, or to use a refresh token to get a new access token. It does not itself expect or accept an access token as input. When calling /oauth2/token, the "Authorization" header is a way to supply the app key and secret, as an alternative to the client_id and client_secret parameters. You can find more information in the documentation for /oauth2/token, as well as this blog post which contains a useful example.

 

You should only set the redirect_uri parameter on /oauth2/token if you used a redirect_uri on /oauth2/authorize when retrieving the authorization code, and if so, it must exactly match that redirect_uri value.

View solution in original post

4 Replies 4

Greg-DB
Dropbox Staff
Go to solution

This error message is indicating that the request contained both an "Authorization" header as well as the client_id and/or client_secret parameter. While Dropbox accepts the app key and secret in either, you should only use one or the other. That is, the request needs to contain either only the "Authorization" header or only the client_id and client_secret parameters.

 

In your code, I see you are setting the "client_id" and "client_secret" parameters. I don't see you explicitly setting the "Authorization" header, so it looks like you're either setting it in some other version or part of the code not shown here, or it's being set by your network client automatically. Either way, you'll need to debug that you make sure you only set one or the other. We can't provide support for Qt/QNetworkReply in particular though, as it's not made by Dropbox.

 

By the way, you have a typo in "authorizatioon_code"; it should be "authorization_code".

sarahModulo
Explorer | Level 3
Go to solution

In postman I have the same issus if I set an Access Token in Authorization part.

Here the post request "https://api.dropboxapi.com/oauth2/token?code=<AuthorizationCode>&grant_type=authorization_code&clien...

error 

{
    "error""invalid_request",
    "error_description""Can't use \"Authorization\" header and \"client_secret\" arg together."
}
 
if I remove client_id and client_secret from the post request
error
{
    "error""invalid_request",
    "error_description""The request parameters do not match any of the supported authorization flows. Please refer to the API documentation for the correct parameters."
}
 
If I remove my Access Token in Authorization part
error
{
    "error""invalid_grant",
    "error_description""redirect_uri mismatch"
}
But Callback URL is the one I set in my dropBox Api... Should I put an other redirect_uri ? And which one ? And where should I set it ? In Param section or Authorization section ?

Greg-DB
Dropbox Staff
Go to solution

Please note that when calling /oauth2/token, you should not include an access token. The /oauth2/token endpoint can be used to exchange an authorization code for an access token and optional refresh token, or to use a refresh token to get a new access token. It does not itself expect or accept an access token as input. When calling /oauth2/token, the "Authorization" header is a way to supply the app key and secret, as an alternative to the client_id and client_secret parameters. You can find more information in the documentation for /oauth2/token, as well as this blog post which contains a useful example.

 

You should only set the redirect_uri parameter on /oauth2/token if you used a redirect_uri on /oauth2/authorize when retrieving the authorization code, and if so, it must exactly match that redirect_uri value.

Здравко
Legendary | Level 20
Go to solution

@sarahModulo wrote:

...

...
        QNetworkReply *reply = m_auth->post("https://api.dropboxapi.com/oauth2/token",parameters);
...

 

I got this error :

"{\"error\": \"invalid_request\", \"error_description\": \"Can't use \\\"Authorization\\\" header and \\\"client_secret\\\" arg together.\"}"


Hi @sarahModulo,

Yes, that's normal. The post method you're using implies authentication (i.e. includes 'Bearer' authentication). You are doing something the class you're using already implements. :winking_face: You're repeating in your code something already done! This explains the received error message. Read the documentation with bit more care.

Use the same post method to only call all regular API calls (i.e. the calls intended to use 'Bearer' authentication), not to call intended to receive any kind of token (as you are using incorrectly now).

Hope this gives direction.

Need more support?