cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Want to learn some quick and useful tips to make your day easier? Check out how Calvin uses Replay to get feedback from other teams at Dropbox here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Re: can i pass the email and password in the url of dropbox to automatically login to the dropbox

Re: can i pass the email and password in the url of dropbox to automatically login to the dropbox

Ch M1
Explorer | Level 3
Go to solution

Hi,

with the auth url "https://www.dropbox.com/oauth2/authorize/?client_id=<key>&token_access_type=offline&response_type=co... it require user login my dropbox account first, and then return a code. it is not make sense. If every user can login my account, why we need the secret key ?? With a request link to upload far more make sense of my requirement. however, my app not able to receive return info with request link. how can I have the code return secretly or without login??

ChM1_1-1663948273549.png

 

 

ChM1_0-1663948084799.png

 

1 Accepted Solution

Accepted Solutions

Greg-DB
Dropbox Staff
Go to solution

The app key and app secret, also known as client ID and secret, identify the app itself, not any particular account, and do not themselves enable access to any account.

 

The OAuth app authorization flow is a way for arbitrary end-users to allow apps to connect to their accounts. It is not possible to fully automate the OAuth process where the user chooses to authorize the app and the app then receives the resulting access token and optional refresh token. This needs to be done manually by the user at least once. If your app needs to maintain long-term access without the user manually re-authorizing it repeatedly, the app should request "offline" access so that it gets a refresh token. The refresh token doesn't expire and can be stored and used repeatedly to get new short-lived access tokens whenever needed, without the user manually reauthorizing the app.

 

The app key/secret and OAuth flow do not allow other users to access your account. Access/refresh tokens and user credentials (username and password) enable access to accounts. As long as you do not distribute your access/refresh tokens or username/password, other users would not have a way to access your own account.

 

It sounds like you want your users to always connect to your own account only. The API was designed with the intention that each user would link their own Dropbox account, in order to interact with their own files. While it is technically possible to always connect to just one account for all users, we do not officially support this, for various technical and security reasons.

View solution in original post

2 Replies 2

Greg-DB
Dropbox Staff
Go to solution

The app key and app secret, also known as client ID and secret, identify the app itself, not any particular account, and do not themselves enable access to any account.

 

The OAuth app authorization flow is a way for arbitrary end-users to allow apps to connect to their accounts. It is not possible to fully automate the OAuth process where the user chooses to authorize the app and the app then receives the resulting access token and optional refresh token. This needs to be done manually by the user at least once. If your app needs to maintain long-term access without the user manually re-authorizing it repeatedly, the app should request "offline" access so that it gets a refresh token. The refresh token doesn't expire and can be stored and used repeatedly to get new short-lived access tokens whenever needed, without the user manually reauthorizing the app.

 

The app key/secret and OAuth flow do not allow other users to access your account. Access/refresh tokens and user credentials (username and password) enable access to accounts. As long as you do not distribute your access/refresh tokens or username/password, other users would not have a way to access your own account.

 

It sounds like you want your users to always connect to your own account only. The API was designed with the intention that each user would link their own Dropbox account, in order to interact with their own files. While it is technically possible to always connect to just one account for all users, we do not officially support this, for various technical and security reasons.

Ch M1
Explorer | Level 3
Go to solution

Thank you very much for your replying. I spent a lot of time for exploring this issue. Your last sentence make sense every thing. I am looking for a storage with one account for all users. Looks like Dropbox is not designed for this purpose. 

Need more support?
Who's talking

Top contributors to this post

  • User avatar
    Ch M1 Explorer | Level 3
  • User avatar
    Greg-DB Dropbox Staff
What do Dropbox user levels mean?