You might see that the Dropbox Community team have been busy working on some major updates to the Community itself! So, here is some info on what’s changed, what’s staying the same and what you can expect from the Dropbox Community overall.

Forum Discussion

FrustratedUser3's avatar
FrustratedUser3
Collaborator | Level 8
4 years ago

Oauth2 refresh token question - what happens when the refresh token expires?

I've been testing the Dropbox OAuth2 endpoints for a few days and I have read the documentation provided directly by Dropbox. However, it is not clear to me how I'm supposed to handle the acquisition of a new refresh token after the first one has been used. The documentation, diagrams, and code samples do not mention this use case as far as I have seen.

 

In short, I can use one of the available authentication schemes (implicit, PKCE, etc.) to get a token and a refresh token, but then what? I have a Python client running in my environment that needs to connect 24/7, which currently works with long-term tokens, but how do I avoid needing to constantly click 'Allow' when I need to refresh the token? The only way I've been able to reconnect is to send the user back to the browser to get a code. What is supposed to happen when a refresh token expires and how do I deal with it using the implicit and PKCE flows?

 

In most of the other APIs I've used, asking for a new token returns yet another refresh token, which can be done repeatedly without limitation and that's what I need to do in this case as well. I want my users to authorize the app one time and then never need to do so again; that's the end goal.

  • While Dropbox "short-lived access tokens" do expire automatically, "refresh tokens" do not. When your app gets a refresh token, it can use that to continuously get new short-lived access tokens whenever needed, without further manual user intervention. (The Python SDK actually does that for you automatically.)

     

    So, since Dropbox refresh tokens do not expire automatically they can and should be re-used repeatedly. The app will not receive a new refresh token every time it requests a new short-lived access token. It should just store and continue re-using the same one.

     

    They can be revoked manually though, either by the user (e.g., via https://www.dropbox.com/account/connected_apps ) or the app, at which point the app would need to prompt the user to re-authorize the app if they wish to use it again.

  • Greg-DB's avatar
    Greg-DB
    Icon for Dropbox Staff rankDropbox Staff

    While Dropbox "short-lived access tokens" do expire automatically, "refresh tokens" do not. When your app gets a refresh token, it can use that to continuously get new short-lived access tokens whenever needed, without further manual user intervention. (The Python SDK actually does that for you automatically.)

     

    So, since Dropbox refresh tokens do not expire automatically they can and should be re-used repeatedly. The app will not receive a new refresh token every time it requests a new short-lived access token. It should just store and continue re-using the same one.

     

    They can be revoked manually though, either by the user (e.g., via https://www.dropbox.com/account/connected_apps ) or the app, at which point the app would need to prompt the user to re-authorize the app if they wish to use it again.

    • Zachjaryw's avatar
      Zachjaryw
      New member | Level 2

      Hello there. I understand that the refresh tokens are needed in order to continuously use the app without expiration. I do not understand where to find this refresh token. can someone help? thank you

      • Здравко's avatar
        Здравко
        Legendary | Level 20

        Hi Zachjaryw,

        It's not possible to get refresh token in the same way as was for long lived access token - from your application's profile (not yet at least), if that's what you are asking for. You have to perform authentication and save the refresh token at the end. Can be used different ways; one such simplified could be seen here. 😉

        Hope this helps.

    • FrustratedUser3's avatar
      FrustratedUser3
      Collaborator | Level 8

      Thanks for the response. Just to be sure I'm understanding:

      • I need to store the refresh token from the original authentication call.
      • When the access token expires, the original refresh token can be used to generate a new access token.

      Is that correct? Also, what happens if you lose the refresh token? It doesn't make a lot of sense to force the user to authenticate via URL a second time, but that's the only way I know how to get a new access token without a refresh token using any of the flows. Am I missing something or is that right?

      • Greg-DB's avatar
        Greg-DB
        Icon for Dropbox Staff rankDropbox Staff

        Yes, that's correct.

         

        And yes, a refresh token is needed to programmatically retrieve more short-lived access tokens, so if you lose the refresh token you'd need to send the user through the authorization flow again to get a new one.

About Dropbox API Support & Feedback

Node avatar for Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

5,910 PostsLatest Activity: 3 days ago
333 Following

If you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X or Facebook.

For more info on available support options for your Dropbox plan, see this article.

If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!