You might see that the Dropbox Community team have been busy working on some major updates to the Community itself! So, here is some info on what’s changed, what’s staying the same and what you can expect from the Dropbox Community overall.

Forum Discussion

ImpulseWebDev's avatar
ImpulseWebDev
Explorer | Level 3
2 years ago

Issue Generating Refresh Token with OAuth Code Flow

Hello, I have been struggling a bit with getting a refresh token or any success response at all from the endpoint 'https://api.dropboxapi.com/oauth2/token' when following the guide here https://developers.dropbox.com/oauth-guide.

While the docs show all curl requests, I am attempting to make my request currently from postman, but in the end I would like to do this via a standard fetch request if possible.

However, when making requests to the endpoint above, I always am returned the response

{
    "error": "invalid_request",
    "error_description": "The request parameters do not match any of the supported authorization flows. Please refer to the API documentation for the correct parameters."
}

Here is one example of my request:

   var details = {
    'code': 'REDACTED',
    'grant_type': 'authorization_code',
    'REDACTED': 'REDACTED'
  };

  var formBody = [];
  for (var property in details) {
    var encodedKey = encodeURIComponent(property);
    var encodedValue = encodeURIComponent(details[property]);
    formBody.push(encodedKey + "=" + encodedValue);
  }
  formBody = formBody.join("&");

  fetch('https://api.dropboxapi.com/oauth2/token', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/x-www-form-urlencoded;charset=UTF-8'
    },
    body: formBody
  }).then(function(response) { 
    return response.json()
  }).then(function(data) {   
    console.log(data);
  })


Here is my postman version


For the sections covered in red or 'REDACTED':
The code I am getting via this URL https://www.dropbox.com/oauth2/authorize?client_id=REDACTED&response_type=code&token_access_type=offline

The lowest section is my app key and app secret (in that order).

Is it possible to make this POST request to this endpoint in the way I am trying?

If so, is it possible to see an example somewhere in the docs that is not a curl request? // or point me in the direction of what I am not doing correctly by chance?

Edit: I should also note that this account has purchased 'Teams'.
Thanks in advance!

  • Given your redactions and descriptions, it seems like you're sending a parameter with the name being your app key and the value being your app secret, however that is not the correct formatting. When calling /oauth2/token to exchange the authorization code for an access token/refresh token with the code flow like this, you should send a parameter named "client_id" with the value being your app key, and a parameter named "client_secret" with the value being your app secret. You would do that the same way you already have a parameter named "code" with the value being the authorization code string.

     

    (Note that it's also possible to send the app key and secret as "Basic" authorization, which is what the example in the documentation does using the "-u" curl flag, but that would be encoded and formatted differently. I recommend just using the parameters as described above for simplicity.)

  • Здравко's avatar
    Здравко
    Legendary | Level 20

    ImpulseWebDev wrote:

    ...
    The lowest section is my app key and app secret (in that order).

    Is it possible to make this POST request to this endpoint in the way I am trying?
    ...


    Hi ImpulseWebDev,

    No, It's not! Where you read that you need to post parameter carrying name equal to your app key?

    Next the curl examples, there are lists of possible parameters! You have to choose something from there. Possible parameters for passing app key and secret are client_id and client_secret. Alternative way is passing them in form "<client_id value>:<client_secret value>" as base authentication.

    Hope this gives direction.

    • ImpulseWebDev's avatar
      ImpulseWebDev
      Explorer | Level 3

      Hello and thanks for the reply.

      My apologies, I am not very familiar with Curl request syntax, however I was attempting to reproduce the example from the dropbox endpoint docs here:

      curl https://api.dropbox.com/oauth2/token \     -d code=<AUTHORIZATION_CODE> \     -d grant_type=authorization_code \     -d redirect_uri=<REDIRECT_URI> \     -u <APP_KEY>:<APP_SECRET>

      The last portion '<APP_KEY>:<APP_SECRET>' was why I attempted that method. I have since updated to use the two params suggested, however any idea what would trigger this response? I did return to my app console to verify both key and secret are up to date

      • ImpulseWebDev's avatar
        ImpulseWebDev
        Explorer | Level 3

        Final reply: The params suggested do work in my non-postman fetch request and return the success response outlined in the docs. That gets me through- Thank you again!

  • Greg-DB's avatar
    Greg-DB
    Icon for Dropbox Staff rankDropbox Staff

    Given your redactions and descriptions, it seems like you're sending a parameter with the name being your app key and the value being your app secret, however that is not the correct formatting. When calling /oauth2/token to exchange the authorization code for an access token/refresh token with the code flow like this, you should send a parameter named "client_id" with the value being your app key, and a parameter named "client_secret" with the value being your app secret. You would do that the same way you already have a parameter named "code" with the value being the authorization code string.

     

    (Note that it's also possible to send the app key and secret as "Basic" authorization, which is what the example in the documentation does using the "-u" curl flag, but that would be encoded and formatted differently. I recommend just using the parameters as described above for simplicity.)

    • ImpulseWebDev's avatar
      ImpulseWebDev
      Explorer | Level 3

      Hello Greg, first thank you again for the response - that does indeed change my error response however I think I am just a bit off still from your explanation. It sounds like I should remove my app key : app secret and replace it with the two values you stated.

      I have gone back to my app console to verify both values are accurate, any idea why it would say one is potentially invalid?