You might see that the Dropbox Community team have been busy working on some major updates to the Community itself! So, here is some info on what’s changed, what’s staying the same and what you can expect from the Dropbox Community overall.

Forum Discussion

awb's avatar
awb
Helpful | Level 7
6 months ago

Invalid access token - across multiple Dropbox Team Spaces

We have suddenly seen an influx of the above error occuring for our customers including our own integrations tests (with no changes in code)

 

I've been looking at the following post, we use PKCE

https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Invalid-access-token/m-p/372484/highlight/true#M20974

 

  • the user can revoke all access tokens for an app by unlinking it on the connected apps page
    • App is still listed and linked
  • any client with the access token can revoke the access token by calling /2/auth/token/revoke
    • we have no refence to this endpoint in our application
  • if the app uses the "app folder" permission, the token can be disabled by the user deleting the app folder itself in the Dropbox account, either via the Dropbox website or any client
    • Could you claify this, I don't belive we request app folder permissions in our application, this is how it looks when checking in the connected apps page

       

  • the app can be disabled
    • App has not been disabled
  • the account that owns the app can be disabled
    • How can we verify this, I can see the application and its enabled, how do we check who owns the app?

       

  • the connected account can be disabled
    • This looks to be enabled as per screen shot above

 

Any help would be much appreciated.

Thanks

  • Rather embarrassing 🤕. It appears our Access token was being truncated through our caching mechanism. I guess our previous tokens fell within the limits. Thanks again Greg-DB Ð—дравко 

  • Hi awb,

    Access tokens expire! (~4 hours live) Did you ensure refresh token accompanying the access token and use it on Dropbox client object initialization?

    Also, you should ensure when for some reason refresh token cannot work (when some of the cases you described comes up), your code asks the user to link your application anew. So the user will know what exactly predisposes this behavior (its recent activity).

    Hope this gives direction.

    • awb's avatar
      awb
      Helpful | Level 7
      Hi,
      Thanks for the response. Tokens were refreshing fine until around 4pm BST.

      Even trying to get a new token with pkce results in the same error.

      From code perspective nothing has changed. The app we created is enabled and linked in our Dropbox. As far as I’m aware. Nothing has changed

      • awb wrote:
        ...
        Even trying to get a new token with pkce results in the same error.
        ...

        I assume that happens on refresh time (despite you don't point it explicitly; correct me if that's not true). That means user's authorization for your application is canceled somehow (using one of the ways you enumerated already). 🤷 That's it.

        There is no need something got changed. Just the granting was canceled. In such a situation new authorization has to be initiated from your application side (when catching such a case). 😉 This is the correct way - nothing else you can do, but just inform your users that after deauthorizing application they will need to authorize anew.

        Good luck.

  • Greg-DB's avatar
    Greg-DB
    Icon for Dropbox Staff rankDropbox Staff

    awb First for reference, note that the post you linked to is old and now somewhat out of date. As Здравко noted, new Dropbox API access tokens do now expire, and access tokens and refresh tokens can also still be explicitly revoked. There are different errors for these cases: 'expired_access_token' indicates the token is expired, and 'invalid_access_token' indicates the token is not valid or is revoked.

     

    Here's a slightly more extensive list of ways an access token/refresh token can be revoked:

     

    To answer your specific questions:

    • App folder access type: Based on your first screenshot, I can tell that your app does not use the app folder access type (because I see it has team scopes, and apps with the app folder access type can't use team scopes).
    • App owner state: Based on your second screenshot, assuming it is a current screenshot, I can tell that the account that owns the app is not disabled, because only the app owner account can view that configuration page, and the account would need to be active to be able to do so.

     

    In any case, if you are getting unexpected errors, we'll be happy to look into it, but we'd need some more information. In that case, please reply with:

    • the name and version number of the platform and SDK/library you are using, if any
    • the steps to reproduce the issue, including relevant code snippet(s)
    • the full text of any error or unexpected output; please ideally show the full request and response, including headers and bodies for both

    Be sure to redact any access tokens, refresh tokens, or app secrets throughout. Thanks!

    • awb's avatar
      awb
      Helpful | Level 7

      Hi Greg-DB 

      Screen shot is reecent, I've also tried removing the app and adding again

      We have had another customer affected by this, 

      POST https://api.dropboxapi.com/2/team/features/get_values HTTP/1.1
      Authorization: Bearer omitted
      User-Agent: omitted/OfficialDropboxDotNetSDKv2/6.37.0.0
      Content-Type: application/json; charset=utf-8
      Host: api.dropboxapi.com
      Request-Id: |39875632-4c7f9ff832916d0c.
      Content-Length: 49

      {"features":[{".tag":"has_team_shared_dropbox"}]}

       

      HTTP/1.1 401 Unauthorized
      Content-Type: application/json
      Cache-Control: no-cache
      Content-Security-Policy: sandbox allow-forms allow-scripts
      Www-Authenticate: Bearer realm="Dropbox-API"
      X-Content-Type-Options: nosniff
      X-Dropbox-Request-Url: /2/team/features/get_values
      Date: Mon, 22 Jul 2024 06:26:36 GMT
      Server: envoy
      Content-Length: 81
      X-Dropbox-Response-Origin: far_remote
      X-Dropbox-Request-Id: 7690858d30364e4591fab093c620c3d0

      {"error":{".tag":"invalid_access_token"},"error_summary":"invalid_access_token/"}

       

      As mentioned before, everything has been working as expected. So I am assuming that its related to our Dropbox application? I can provide you with the app key if this will help?

      Thanks

      Ash

      • awb's avatar
        awb
        Helpful | Level 7

        Rather embarrassing 🤕. It appears our Access token was being truncated through our caching mechanism. I guess our previous tokens fell within the limits. Thanks again Greg-DB Ð—дравко