You might see that the Dropbox Community team have been busy working on some major updates to the Community itself! So, here is some info on what’s changed, what’s staying the same and what you can expect from the Dropbox Community overall.
Forum Discussion
Getting invalid request for PKCEOAuthFlow.ProcessCodeFlowAsync
Hi, I'm implementing PKCE now, but getting an invalid request exception. I can't see anything that I'm doing wrong from the doco (it says everything is optional except code and appkey). This i...
donaldp wrote:...
if (code is object) {
PKCEOAuthFlow pKCEFlow=new PKCEOAuthFlow();...
As can be seen from your post, you are constructing pKCEFlow object anew after you have got the code. How you guarantee that PKCE code challenge, send as part of initial query (targeting the code you have received on redirect), match to the code verifier used on followup code processing (both generated and carried within PKCEOAuthFlow object)? 🤔 This workflow targets extremely difficult prediction of such pair, so security gonna be improved. If it was so easy to predict second pair' element (just construct a new object), 😁 what's the meaning of PKCE usage at all?
Hope this gives direction. 😉
Hi,
> As can be seen from your post, you are constructing pKCEFlow object anew after you have got the code
Yes, that's right. I'm getting the code directly from the browser - I'm not doing it via the app - so this is the first step in the process in the app. There is no redirect. The user gets the code, then comes to the app with it. The doco says that you can do that, hence why the subsequent parameters are all optional. It's not working though (as is).
donaldp wrote:... I'm getting the code directly from the browser - I'm not doing it via the app - so this is the first step in the process in the app. There is no redirect. The user gets the code, then comes to the app with it. The doco says that you can do that, hence why the subsequent parameters are all optional. It's not working though (as is).
Ok, that's right. Nothing against what you say, it's correct. Do you intentionally bypass my actual notes posted before? 🤷 If you don't want, don't read them.
Edit:
donaldp wrote:... I'm getting the code directly from the browser - I'm not doing it via the app - so this is the first step in the process in the app. ...
The first step is constructing and launching Dropbox authentication (URL construction that must include code challenge). What you are talking about is going to be the second one! Both are strictly related to each other - something you are missing, seems!
>The first step is constructing and launching Dropbox authentication
And the doco states that step is optional, as I already said. I therefore don't know what code is needed to get this working when one isn't constructing and launching a redirect. If you're getting the code directly from a browser as the actual first step, then the next step is entering that code into the app, unless someone can tell me a different first step for bypassing using a redirect (I already asked if there's a different URL needed to be used for the PKCE flow - I'm using the same URL as non-PKCE flow, but maybe that's the issue?).
About Dropbox API Support & Feedback
Find help with the Dropbox API from other developers.
