Getting invalid request for PKCEOAuthFlow.ProcessCodeFlowAsync

Hi,

I'm implementing PKCE now, but getting an invalid request exception. I can't see anything that I'm doing wrong from the doco (it says everything is optional except code and appkey). This is code that was working when I was using DropboxOAuth2Helper.ProcessCodeFlowAsync (but I want to convert to not sending the secret - using a C# dotnet desktop app).

My initial code (using a code authorised in the browser, and the same appkey) is as follows...

```

if (code is object) {
PKCEOAuthFlow pKCEFlow=new PKCEOAuthFlow();
// OAuth2Response dxResponse=await DropboxOAuth2Helper.ProcessCodeFlowAsync(code,APIKEY,APISECRET); note THIS CODE WAS WORKING
OAuth2Response dxResponse=await pKCEFlow.ProcessCodeFlowAsync(code,APIKEY);

```

Then I hit the exception...

********************************** UNHANDLED EXCEPTION! Details: Dropbox.Api.OAuth2Exception: invalid_request
at Dropbox.Api.DropboxOAuth2Helper.ProcessCodeFlowAsync(String code, String appKey, String appSecret, String redirectUri, HttpClient client, String codeVerifier)

Do I need to use a different authoriseURI if I'm using PKCE or something? I'm using the same one I was using with DropboxOAuth2Helper.ProcessCodeFlowAsync. Otherwise I don't know what it's not happy about. 😕

thanks,

Donald.

API

Здравко
Legendary | Level 20
3 years ago
donaldp wrote:
...
if (code is object) {
PKCEOAuthFlow pKCEFlow=new PKCEOAuthFlow();
...
As can be seen from your post, you are constructing pKCEFlow object anew after you have got the code. How you guarantee that PKCE code challenge, send as part of initial query (targeting the code you have received on redirect), match to the code verifier used on followup code processing (both generated and carried within PKCEOAuthFlow object)? 🤔 This workflow targets extremely difficult prediction of such pair, so security gonna be improved. If it was so easy to predict second pair' element (just construct a new object), 😁 what's the meaning of PKCE usage at all?
Hope this gives direction. 😉
- donaldp
  Collaborator | Level 9
  3 years ago
  Hi,
  
  > As can be seen from your post, you are constructing pKCEFlow object anew after you have got the code
  
  Yes, that's right. I'm getting the code directly from the browser - I'm not doing it via the app - so this is the first step in the process in the app. There is no redirect. The user gets the code, then comes to the app with it. The doco says that you can do that, hence why the subsequent parameters are all optional. It's not working though (as is).
  - Здравко
    Legendary | Level 20
    3 years ago
    donaldp wrote:
    ... I'm getting the code directly from the browser - I'm not doing it via the app - so this is the first step in the process in the app. There is no redirect. The user gets the code, then comes to the app with it. The doco says that you can do that, hence why the subsequent parameters are all optional. It's not working though (as is).
    Ok, that's right. Nothing against what you say, it's correct. Do you intentionally bypass my actual notes posted before? 🤷 If you don't want, don't read them.
    
    Edit:
    donaldp wrote:
    ... I'm getting the code directly from the browser - I'm not doing it via the app - so this is the first step in the process in the app. ...
    The first step is constructing and launching Dropbox authentication (URL construction that must include code challenge). What you are talking about is going to be the second one! Both are strictly related to each other - something you are missing, seems!
Greg-DB
Dropbox Staff
3 years ago
The PKCE flow is the right choice for a client-side app, such as a desktop app. The PKCE flow can be used with or without a redirect URI.

The PKCE flow eliminates the need for the app secret by instead using a code challenge/verifier. That's essentially a temporary secret generated by the app. A redirect URI can be used to return the authorization code to the app, but that's unrelated to the use of a code challenge/verifier.

In order for the PKCE flow to be successful, the code challenge/verifier needs to be validated by the Dropbox server. If it's invalid, the process will fail. Specifically, the code_challenge set on the /oauth2/authorize URL used when retrieving the authorization code needs to correspond to the code_verifier sent to /oauth2/token when attempting to exchange that particular authorization code. You can use the PKCEOAuthFlow in the official Dropbox .NET SDK, which will do most of the work for you.

When using PKCEOAuthFlow in the Dropbox .NET SDK, you need to make sure you use the same instance for both the GetAuthorizeUri step as well as the ProcessCodeFlowAsync step, as shown in that example. That's because the PKCEOAuthFlow class generates the code challenge/verifier when the instance is created.
- donaldp
  Collaborator | Level 9
  3 years ago
  Hi Greg-DB ,
  
  Thanks for your polite-as-always explanation. 🙂 That wasn't clear to me from the doco that the authorisation URL is different every time (since it's always been the same with non-PKCE), so might be worth highlighting that in the doco for others like me who are converting.
  
  I got it working now with an access token (wanted to try that first so that I can test my code handles it properly when it expires), but I did try to save a refresh token at the same time, as that's what I'll use later, and various info was telling me I would get one with a code authorisation flow, but I didn't get a refresh token, only the access token. Is there another parameter or something I need to specify, because I thought I'd done everything I needed to get the refresh token too (for offline processing).
  
  This is what I have so far...
```
PKCEOAuthFlow=new PKCEOAuthFlow();
AuthorisationURLText=PKCEOAuthFlow.GetAuthorizeUri(OAuthResponseType.Code,APIKEY).ToString(); (plus an option to copy this to the clipboard)

OAuth2Response dxResponse=await PKCEOAuthFlow.ProcessCodeFlowAsync(code,APIKEY);
DxAccessToken=dxResponse.AccessToken;
Trace.Write($"********************************** DxAccessToken is {DxAccessToken}\r\n");
if (dxResponse.ExpiresAt is DateTime) {
DxAccessTokenExpiry=(DateTime)dxResponse.ExpiresAt;
} else {
DxAccessTokenExpiry=DateTime.Now;
}
Trace.Write($"********************************** DxAccessTokenExpiry is {DxAccessTokenExpiry}\r\n");
DxRefreshToken=dxResponse.RefreshToken;
Trace.Write($"********************************** DxRefreshToken is {DxRefreshToken}\r\n");
Authorised=true;
```
  But as I said, the refresh token came up blank.
  
  thanks,
  Donald.
  - Здравко
    Legendary | Level 20
    3 years ago
    donaldp wrote:
    ..., but I didn't get a refresh token, only the access token. Is there another parameter or something I need to specify, because I thought I'd done everything I needed to get the refresh token too (for offline processing).
    ...
    AuthorisationURLText=PKCEOAuthFlow.GetAuthorizeUri(OAuthResponseType.Code,APIKEY).ToString();
    ...
    Hi donaldp,
    Yes there is such parameter that you skipped. Refresh token is "in pair" with offline processing, but where you are specifying that? There is such a parameter 'tokenAccessType' (set to Legacy by default). Whenever some example uses refresh token the parameter is set to Offline. 😉 Just do the same.
    There is a mistake in code comment and documentation that Legacy means long lived token. Sometime ago - Yes, but now it's obsolete.