We are aware of the issue with the badge emails resending to everyone, we apologise for the inconvenience - learn more here.
Forum Discussion
Long time registered app not allowing Oauth authentication.
Anyone know why all of a sudden a dropbox registered app that's been working fine for years would suddenly show
{"error": "invalid_scope", "error_description": "Non-scoped apps cannot specify token scopes"}
When attempting to use an oauth refresh token like so.
POST https://api.dropbox.com/oauth2/token HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: api.dropbox.com Content-Length: 363 Expect: 100-continue refresh_token=<VALIDTOKEN>&grant_type=refresh_token&client_id=<VALIDCLIENTID>&client_secret=<VALIDSECRET>&scope=account_info.write+account_info.read+files.metadata.write+files.metadata.read+files.content.write+files.content.read+sharing.write+sharing.read+file_requests.write+file_requests.read+contacts.write
I'm guessing I need to do something to the registration of the app. That some new requirement is needed, but I'm not sure what.
[Cross-linking for reference: https://stackoverflow.com/questions/75738278/non-scoped-apps-cannot-specify-token-scopes-when-using-dropbox-api-oauth ]
From your description, it sounds like you have a legacy non-scoped app from before we switched to registering new apps as scoped apps.
We recently fixed a bug where the API would allow non-scoped apps to specify scopes using the 'scope' parameter when calling /oauth2/token with 'grant_type=refresh_token'. Scopes don't apply to non-scoped apps so this is supposed to be rejected with the error you're seeing.
To correct this, you should either:
- not provide the 'scope' parameter when calling /oauth2/token for the non-scoped app, or
- migrate your non-scoped app to use scopes, which you can do using the "Permissions" tab of the app's page on the App Console.
Option b would be preferred. You can find more information on the migration here.
Hi Daniel G.70,
As can be seen from the error message, you're trying scopes on no scoped application! 🙋 Why? 🤔 Try to remove the last part (representing the scopes) from the request payload. Or register a new scoped application and start anew.
Hope this helps.
- Greg-DB
Dropbox Staff
[Cross-linking for reference: https://stackoverflow.com/questions/75738278/non-scoped-apps-cannot-specify-token-scopes-when-using-dropbox-api-oauth ]
From your description, it sounds like you have a legacy non-scoped app from before we switched to registering new apps as scoped apps.
We recently fixed a bug where the API would allow non-scoped apps to specify scopes using the 'scope' parameter when calling /oauth2/token with 'grant_type=refresh_token'. Scopes don't apply to non-scoped apps so this is supposed to be rejected with the error you're seeing.
To correct this, you should either:
- not provide the 'scope' parameter when calling /oauth2/token for the non-scoped app, or
- migrate your non-scoped app to use scopes, which you can do using the "Permissions" tab of the app's page on the App Console.
Option b would be preferred. You can find more information on the migration here.
Excellent. I will look into this. Thankyou!
- Greg-DB
Daniel G.70 Also, to expand on Здравко's comment, while new apps are registered as scoped apps now, you do not need to register a new app. You can and should migrate any existing non-scoped apps to use scopes.
And additionally, while I mentioned that you only need to do either option a or b in my post, you can technically do both. The 'scope' parameter on /oauth2/token is optional for both scoped and non-scoped apps; it is only needed if/when you want to get an access token with a specific subset of the scopes authorized to the given refresh token when calling with 'grant_type=refresh_token'.
This was indeed exactly the issue. We never did migrate to a scoped app. And we do specify scopes on the wire.
That was the source of the issue and the fixes you propose did work. Thankyou!
About Dropbox API Support & Feedback
Find help with the Dropbox API from other developers.
