cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community
English
Announcements
What’s new: end-to-end encryption, Replay and Dash updates. Find out more about these updates, new features and more here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

authorization_code grant running right thru and not asking for App permission.

Labels:

authorization_code grant running right thru and not asking for App permission.

mjoyner1
Explorer | Level 3
‎04-11-2017 10:50 PM
Go to solution

@Greg or moderator - can I post my client ID?

 

https://www.dropbox.com/1/oauth2/authorize?response_type=code&client_id=XXXXXXXXX&redirect_uri=https...

 

The above with the correct Client ID runs right to the redirect_uri without asking for permission. On my local development environment, it works fine with the localhost redirect. This is our staging server.

 

If I take out the redirect URI, it will ask for App Approval, if I put it in, it runs right thru.

Labels:
  • 0 Likes
  • 3 Replies
  • 1,873 Views
0 Likes
1 Accepted Solution

Accepted Solutions

Greg-DB
Dropbox Staff
‎04-12-2017 10:54 AM
Go to solution

Yes, it's safe to post your client ID as long as you don't mind exposing your app name. Client IDs aren't considered secret values.

 

Anyway, this behavior is expected in some cases. That is, if the user has already authorized the app to access their account, Dropbox may automatically redirect the user to the redirect URI without having them explicitly authorize it again.

 

If you'd like, you can disable this behavior using force_reapprove=true on /authorize:

 

https://www.dropbox.com/developers/documentation/http/documentation#authorization

View solution in original post

0 Likes
3 Replies 3

Greg-DB
Dropbox Staff
‎04-12-2017 10:54 AM
Go to solution

Yes, it's safe to post your client ID as long as you don't mind exposing your app name. Client IDs aren't considered secret values.

 

Anyway, this behavior is expected in some cases. That is, if the user has already authorized the app to access their account, Dropbox may automatically redirect the user to the redirect URI without having them explicitly authorize it again.

 

If you'd like, you can disable this behavior using force_reapprove=true on /authorize:

 

https://www.dropbox.com/developers/documentation/http/documentation#authorization

0 Likes

mjoyner1
Explorer | Level 3
‎04-12-2017 12:17 PM
Go to solution

Greg, 

 

Thank you for shedding some light on this. For some reason, my localhost always forces the reapprove. Thru a strange course of events, we have discovered that we actually have a hostname issue in building the /token redirect and thus........ it doesn't match and no token.

 

Your answer is awesome and thank you for your exemplary work in this forum.

 

 

0 Likes

Greg-DB
Dropbox Staff
‎04-12-2017 12:32 PM
Go to solution
For reference, it is expected that the automatic redirect won't happen in all cases. For example, it will only occur if the redirect URI starts with https://.
0 Likes
Need more support?
Who's talking

Top contributors to this post

  • User avatar
    Greg-DB Dropbox Staff
  • User avatar
    mjoyner1 Explorer | Level 3
What do Dropbox user levels mean?