I have Xamarin.Auth working with Google drive on Android/iOS/UWP, and I want to add support into my app for Dropbox. Xamarin.Auth is nice because I only have to write the code once, and it handles a lot of the complications. It works with multiple oauth like Twitter, facebook and others. But I've run into an issue with the redirect_uri when using Xamarin.Auth. For Google Drive, the google webpage creates a redirect like \"com.googleusercontent.apps...\". The deep link allows my app to wake up when the redirect occurs. My hope was to quickly extend this to Dropbox, but the options for redirect URI seem limited.

Dropbox allows you to specify a Redirect URI of either \"https://something.here\" or a loopback like \"http://127.0.0.1/authorize\". I can also enter \"anything://anything_else\" into the website. But I can't enter a deep link address, like \"com.something/oauth2redirect\". If I use https://something.here, the redirect attempts to load a webpage, which of course doesn't exist. If I use a deep link, dropbox API complains that it's not valid and must start with https. If I use a loopback address, my app doesn't wake up automatically, though I'm not sure how it would.

Does anybody have some advice on how to make Dropbox work with Xamarin.Auth, is this possible?

Is there there a cross platform solution I can leverage? Or do I have to create a unique (and way more expensive) solution individually for iOS and Android?

Thanks - Paul

I have Xamarin.Auth working with Google drive on Android/iOS/UWP, and I want to add support into my app for Dropbox. Xamarin.Auth is nice because I only have to write the code once, and it handles a lot of the complications. It works with multiple oauth like Twitter, facebook and others. But I've run into an issue with the redirect_uri when using Xamarin.Auth. For Google Drive, the google webpage creates a redirect like \"com.googleusercontent.apps...\". The deep link allows my app to wake up when the redirect occurs. My hope was to quickly extend this to Dropbox, but the options for redirect URI seem limited.

Dropbox allows you to specify a Redirect URI of either \"https://something.here\" or a loopback like \"http://127.0.0.1/authorize\". I can also enter \"anything://anything_else\" into the website. But I can't enter a deep link address, like \"com.something/oauth2redirect\". If I use https://something.here, the redirect attempts to load a webpage, which of course doesn't exist. If I use a deep link, dropbox API complains that it's not valid and must start with https. If I use a loopback address, my app doesn't wake up automatically, though I'm not sure how it would.

Does anybody have some advice on how to make Dropbox work with Xamarin.Auth, is this possible?

Is there there a cross platform solution I can leverage? Or do I have to create a unique (and way more expensive) solution individually for iOS and Android?

Thanks - Paul

First, I should note that we can't provide support for or endorse any other third party products or libraries, such as Xamarin.Auth.

That said, on the Dropbox side of things, it's true that in the Dropbox OAuth 2 implementation, as a security feature, when using the \"code\" flow, the redirect URI (if provided) must start with https:// (except for localhost addresses).

So, depending on your use case, there are a few options that might make sense:

\n
• use the \"token\" flow instead of the \"code\" flow: for the \"token\" flow, redirect URIs with custom URL schemes (like \"anything://anything_else\", which you'd register for your local app) are allowed. You can find more information on the two supported flows in the /oauth2/authorize documentation. The \"token\" flow is generally recommended for client-side apps anyway.
\n
• use the \"code\" flow, using a http://localhost... redirect URI.
\n
• use the \"code\" flow, omit the redirect URI entirely: in this case, the user would need to manually copy/paste the authorization code that Dropbox would present to them
\n

First, I should note that we can't provide support for or endorse any other third party products or libraries, such as Xamarin.Auth.

That said, on the Dropbox side of things, it's true that in the Dropbox OAuth 2 implementation, as a security feature, when using the \"code\" flow, the redirect URI (if provided) must start with https:// (except for localhost addresses).

So, depending on your use case, there are a few options that might make sense:

\n
• use the \"token\" flow instead of the \"code\" flow: for the \"token\" flow, redirect URIs with custom URL schemes (like \"anything://anything_else\", which you'd register for your local app) are allowed. You can find more information on the two supported flows in the /oauth2/authorize documentation. The \"token\" flow is generally recommended for client-side apps anyway.
\n
• use the \"code\" flow, using a http://localhost... redirect URI.
\n
• use the \"code\" flow, omit the redirect URI entirely: in this case, the user would need to manually copy/paste the authorization code that Dropbox would present to them
\n

I found the solution, but to answer your question first, the text is output from a sniffer trace showing the HTTP Get request.

And you are right, in that the second response_type and client_id are a duplication.  It confused me and at first I thought it was the HTTP body.  One thing I didn't understand is that GetAuthorizeUri returns the URL plus the params.  Xamarin.Auth requires just the URL, so I can just send \"https://www.dropbox.com/oauth2/authorize\", and I won't call GetAuthorizeUri at all, since OAuth2Authenticator takes care of building the request.

The reason there were two response_types where one was code type rather than token type was because I supplied the AccessTokenURL to OAuth2Authenticator, which is not needed in the case of token flow, as I understand.  Since I started with a dropbox API example for .NET and then plugged in each into the OAuth2Authenticator call, I mistakenly sent an AccessTokenUrl.  I found out from looking at the Xamarin code, if AccessTokenUrl==NULL will assume the implict flow (token flow).  Interestingly, and as a note to help others, I tried setting the AccessTokenUrl to null, which caused an exception.  Instead I found this version worked and now I'm authenticating.

authenticator = new Xamarin.Auth.OAuth2Authenticator(\nclientId: ApiKey,\nscope: \"\",\nauthorizeUrl: new Uri(\"https://www.dropbox.com/oauth2/authorize\"),\nredirectUrl: new Uri(RedirectUri),\nisUsingNativeUI: false) ;

Hope this information helps somebody else trying to get Xamarin.Auth working with Dropbox.

I found the solution, but to answer your question first, the text is output from a sniffer trace showing the HTTP Get request.

And you are right, in that the second response_type and client_id are a duplication.  It confused me and at first I thought it was the HTTP body.  One thing I didn't understand is that GetAuthorizeUri returns the URL plus the params.  Xamarin.Auth requires just the URL, so I can just send \"https://www.dropbox.com/oauth2/authorize\", and I won't call GetAuthorizeUri at all, since OAuth2Authenticator takes care of building the request.

The reason there were two response_types where one was code type rather than token type was because I supplied the AccessTokenURL to OAuth2Authenticator, which is not needed in the case of token flow, as I understand.  Since I started with a dropbox API example for .NET and then plugged in each into the OAuth2Authenticator call, I mistakenly sent an AccessTokenUrl.  I found out from looking at the Xamarin code, if AccessTokenUrl==NULL will assume the implict flow (token flow).  Interestingly, and as a note to help others, I tried setting the AccessTokenUrl to null, which caused an exception.  Instead I found this version worked and now I'm authenticating.

authenticator = new Xamarin.Auth.OAuth2Authenticator(\nclientId: ApiKey,\nscope: \"\",\nauthorizeUrl: new Uri(\"https://www.dropbox.com/oauth2/authorize\"),\nredirectUrl: new Uri(RedirectUri),\nisUsingNativeUI: false) ;

Hope this information helps somebody else trying to get Xamarin.Auth working with Dropbox.

Based on your response I looked at a network trace because I thought I was using the token flow.  But I see in the trace it sends the token flow in the HTTP header and code flow in the HTTP body.  That seems strange so I'm following up with Xamarin.Auth folks.  

Can you verify you use the HTTP body and the header to validate the code flow?  The packet looks like this:

GET /oauth2/authorize?response_type=token&client_id=ommited&redirect_uri=com.paulyshotel.testcloud%3A%2F%2Foauth2rediect%2F&state=c4045458ac394ad78752fad786151f5e?client_id=b2w6zorouokifto&redirect_uri=com.paulyshotel.testcloud%3A%2F%2Foauth2rediect&scope=&response_type=code

Thanks -Paul

Based on your response I looked at a network trace because I thought I was using the token flow.  But I see in the trace it sends the token flow in the HTTP header and code flow in the HTTP body.  That seems strange so I'm following up with Xamarin.Auth folks.  

Can you verify you use the HTTP body and the header to validate the code flow?  The packet looks like this:

GET /oauth2/authorize?response_type=token&client_id=ommited&redirect_uri=com.paulyshotel.testcloud%3A%2F%2Foauth2rediect%2F&state=c4045458ac394ad78752fad786151f5e?client_id=b2w6zorouokifto&redirect_uri=com.paulyshotel.testcloud%3A%2F%2Foauth2rediect&scope=&response_type=code

Thanks -Paul

The /oauth2/authorize location is a web page, and you should just be sending the user there in their browser, so the browser should just make a GET request to it. There shouldn't be a body for that HTTP GET request, nor would Dropbox use any parameters sent in the body. The URL parameters on the URL path itself are used.

The /oauth2/authorize location is a web page, and you should just be sending the user there in their browser, so the browser should just make a GET request to it. There shouldn't be a body for that HTTP GET request, nor would Dropbox use any parameters sent in the body. The URL parameters on the URL path itself are used.

You mentioned above that \"it's true that in the Dropbox OAuth 2 implementation, as a security feature, when using the \"code\" flow, the redirect URI (if provided) must start with https:// (except for localhost addresses).\"   And then you mention \"use the \"token\" flow instead\".  What I'm showing you above is that the GET request my app sends has set the parameter response_type=token as per the documentaiton link you provided above.

However, the result is that dropbox returns and error stating \"Invalid redirect_uri. When response_type=code, redirect_uri must start with \"https://\", unless it's a localhost URI.\"

Why am I getting this message?

You mentioned above that \"it's true that in the Dropbox OAuth 2 implementation, as a security feature, when using the \"code\" flow, the redirect URI (if provided) must start with https:// (except for localhost addresses).\"   And then you mention \"use the \"token\" flow instead\".  What I'm showing you above is that the GET request my app sends has set the parameter response_type=token as per the documentaiton link you provided above.

However, the result is that dropbox returns and error stating \"Invalid redirect_uri. When response_type=code, redirect_uri must start with \"https://\", unless it's a localhost URI.\"

Why am I getting this message?