Re: Wild Card redirect uri

Chris J.2 · ‎01-06-2015

Hi,

Is it possible to use a wild card in a redirect_uri?

We're developing an app that can have multiple sub domains e.g.

User 1 can have a url:
https://testuser1.example.com/app

User 2 can have a url:
https://testuser2.example.com/app

Is it possible for a redirect_uri to be allowed form https://*.example.com/app?

Thanks!

Greg-DB · ‎01-06-2015

This isn't currently possible, as all OAuth 2 redirect URIs are required to be pre-registered as a matter of security. I'll be sure to pass this along as feedback though.

As mentioned though, one thing you may be able to do instead is to use one static redirect URI but encode the necessary information in the 'state' parameter, and decode it as necessary after the redirect back to your app, to handle it as necessary:

https://www.dropbox.com/developers/core/docs#oa2-authorize

Alternatively, you can use OAuth 1, which doesn't require pre-registered redirect URIs.

Sasha P.1 · ‎07-20-2015

Upvoting! This would be very helpful in resolving a current problem I'm dealing with as well.

Thibaud L. · ‎08-21-2015

@Gregory there is no way to be able to call dropbox API to get new consumer id/key during deploy state? I really think is not possible because how to secure such API that deliver access keys 🙂 But I prefer to ask 🙂

Greg-DB · ‎08-21-2015

Thibaud, no, there currently isn't a way to programmatically register new apps, but I'll be sure to pass this along as a request.

(Also, your question doesn't really seem related to this thread, so for future reference, in cases like this, please be sure to create a new thread for your question.)

Jimmy C.8 · ‎02-26-2016

is it possible to pass a redirect_uri with arbitrary path as long as the base_uri is the same?

Example

registered uri: https://somesub.myapp.com/auth/dropbox

sent uri: https://somesub.myapp.com/auth/dropbox/user/111

Greg-DB · ‎02-26-2016

No, the entire URI needs to match. I recommend using the state parameter to pass along data as necessary instead.

Mark L.45 · ‎04-18-2016

Hi,

I am trying to follow this dropbox tutorial; but with success

https://blogs.dropbox.com/developers/2013/07/using-oauth-2-0-with-the-core-api/

I tried this call using the parameters shown and it worked, at least tried to redirect me to the localhost. But what does this mean? I simply want to be able to ask a user of app to grant dropbox permission to access a shared directory within their dropbox, so I need their bearer-id in calls my app makes to dropbox.

I setup my own authorisation key thru the dropbox, but what prey ask is a URI in this context? what can use as a redirect URL in this call, assuming I have no plans to set up a web server behind this; its an app that is making this call and I am more than happy to redirect users to dropbox if need be to get the credentials to continue?

https://www.dropbox.com/1/oauth2/authorize?client_id=<appkey>&response_type=code&redirect_uri=<redirect URI>&state=<CSRF token>

client_id I have?
redirect URI I don't have; I set it to https://localhost in my app, but it makes no sense?
CSRF token I can generate?

I am looking to do an “implicit grant” (for client-side apps like mobile or JavaScript apps). I don't want to have to try to implement Swifty API if I can avoid doing so since I want my code to be as simple as possible?

Greg-DB · ‎04-18-2016

If you want to use the implicit flow, your response_type should be set to "token". The client_id should be your app key, and the redirect URI should be some URI where you want the user sent back to after they approve your app to connect to their account. For the implicit a.k.a. token flow, the access token is returned to the redirect URI on the URL fragment.

While in development, you may use localhost, which points to your local machine, to handle the redirect. You may also want to use localhost in general if your app only runs on the client.

There's an OAuth guide here that may be useful:

https://www.dropbox.com/developers/reference/oauthguide

Mark L.45 · ‎04-18-2016

Gregory,

Thanks, a step forward; but it is now telling me it is unable to open localhost; which makes perfect sense cause the plan is to run this within an app on an iPad. How can I get this response back without running a web server?

Or indeed do I simply ignore this error message and process the return anyway? There appears to be a bearer access token there anyway?

Moved to a new thread.