cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Musicians, convert your MuseScore files to PDF to play music on the go! Learn more here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Using refresh token without client secret

Using refresh token without client secret

johannesjo
Helpful | Level 5
Go to solution

I am using the PKCE flow for my electron based desktop & web app app and am trying to migrate for the new short lived tokens everywhere flow. I am able to get a refresh token by providing

token_access_type=offline

Now I am wondering how I can request a new accessToken without exposing my APP_SECRET (https://www.dropbox.com/developers/documentation/http/documentation#oauth2-token).

Is there a way to do so?

1 Accepted Solution

Accepted Solutions

Greg-DB
Dropbox Staff
Go to solution

Yes, the PKCE flow in particular is a version of the OAuth 2 authorization flow that doesn't require the app secret, meant for client-side apps where an app secret can't be kept secret. It does so by using a 'code_challenge' on the /oauth2/authorize step and corresponding 'code_verifier' on the following /oauth2/token step, instead of the app secret. Likewise, it does not require the app secret when performing a refresh call. You can find more information in the OAuth Guide and authorization documentation.

 

Specifically, the /oauth2/token request using a refresh token that was retrieved via the PKCE flow to get a new short-lived access token without using the app secret would look like this:

curl https://api.dropbox.com/oauth2/token \
    -d refresh_token=<REFRESH_TOKEN> \
    -d grant_type=refresh_token \
    -d client_id=<APP_KEY>

 

View solution in original post

4 Replies 4

Greg-DB
Dropbox Staff
Go to solution

Yes, the PKCE flow in particular is a version of the OAuth 2 authorization flow that doesn't require the app secret, meant for client-side apps where an app secret can't be kept secret. It does so by using a 'code_challenge' on the /oauth2/authorize step and corresponding 'code_verifier' on the following /oauth2/token step, instead of the app secret. Likewise, it does not require the app secret when performing a refresh call. You can find more information in the OAuth Guide and authorization documentation.

 

Specifically, the /oauth2/token request using a refresh token that was retrieved via the PKCE flow to get a new short-lived access token without using the app secret would look like this:

curl https://api.dropbox.com/oauth2/token \
    -d refresh_token=<REFRESH_TOKEN> \
    -d grant_type=refresh_token \
    -d client_id=<APP_KEY>

 

johannesjo
Helpful | Level 5
Go to solution

Thanks for the quick response. Unfortunately this leads to an `invalid_request` error (400):
```

The request parameters do not match any of the supported authorization flows. Please refer to the API documentation for the correct parameters.

```

johannesjo
Helpful | Level 5
Go to solution

Never mind! I had the wrong Content-Type header set. Seems to work fine now. Thank you very much!

 

Maybe this should be added to the documentation under the examples section?

Greg-DB
Dropbox Staff
Go to solution

Thanks for following up. I'm glad to hear you got this working.

 

Yes, I've asked the team to add that example to the documentation.

Need more support?
Who's talking

Top contributors to this post

  • User avatar
    Greg-DB Dropbox Staff
  • User avatar
    johannesjo Helpful | Level 5
What do Dropbox user levels mean?