short-lived token expired

luigia · ‎02-10-2021

I'm updating my code to use dropbox-core-sdk-3.1.5 instead of dropbox-core-sdk-3.1.1.
I've updated my app permission to use the short-lived access token in the Dropbox Console.

When a user login into my app, she can connect her dropbox account, and the dropbox content is downloaded and shown.
But after 4h, she must reconnect the dropbox account since token is expired.

How can I avoid this?

My calls are

// V2 api /oauth2/authorize
DbxWebAuth.Request authRequest = DbxWebAuth.newRequestBuilder()
.withRedirectUri(redirectUri, sessionStore)
.withTokenAccessType(TokenAccessType.OFFLINE)
.build();

DbxWebAuth webAuth = new DbxWebAuth(reqConfig, appInfo);

then

// V2 api /oauth2/token
DbxWebAuth webAuth = new DbxWebAuth(reqConfig, appInfo);

authFinish = webAuth.finishFromRedirect(
redirectUri, sessionStore, params);

And I use this authFinish to call the get the current account

// V2 api /2/users/get_current_account
DbxClientV2 dbxClient = new DbxClientV2(reqConfig, accessToken);
FullAccount fullAccount = dbxClient.users().getCurrentAccount();
return fullAccount;

Then I store the access token

AuthorizationToken token = new AuthorizationToken();
token.setExternalUserId(authFinish.getUserId());
token.setToken(authFinish.getAccessToken());

Should I use the refresh_token instead of the access token?

Should I check the expires time, and recall the /oauth2/token specifying grant_type=refresh_token ?

kylea · ‎02-10-2021

Short-lived tokens are valid for four hours (note that this value is subject to change).

After a short lived token has expired, simply sending the user to re-auth and using the new token would be recommended for most web applications. The OAuth/redirect for an authorized app is typically automatic for an authorized app, which is easy and low friction for end users.

If your application requires background access, then you should use refresh tokens. Refresh tokens do not expire, and will let your retrieve a new access token at any time - with SDKs automating this for you. Most web applications would not need refresh tokens; this is more commonly associated with mobile or server side apps.

In the Java SDK, you'll want to use this constructor to pass the refresh token in the DbxCredential argument.

luigia · ‎02-14-2021

yes, my app needs to interact with the Dropbox API without user input.

What do you mean with "SDKs automating this for you" ?

I'm using the sdk 3.1.5 calling /oauth2/authorize with TokenAccessType.OFFLINE.

Should I check DbxWebAuth .getExpiresAt() and if needed, I should require a new token using the refresh_token as explained here ?

https://dropbox.tech/developers/migrating-app-permissions-and-access-tokens#updating-access-token-ty...

thanks for you help

Greg-DB · ‎02-15-2021

If you request "offline" access like that, you'll get a refresh token that can be used to programmatically get a new short-lived access token whenever needed. If you use the constructor my colleague linked to, supplying your refresh token, app key, and app secret (if not using PKCE) in the DbxCredential, the Java SDK will automatically check the expiration and retrieve a new short-lived access token for you, so you that don't need to implement that yourself.

short-lived token expired

short-lived token expired

Top contributors to this post