You might see that the Dropbox Community team have been busy working on some major updates to the Community itself! So, here is some info on what’s changed, what’s staying the same and what you can expect from the Dropbox Community overall.
Forum Discussion
FrustratedUser3
4 years agoCollaborator | Level 8
Oauth2 refresh token question - what happens when the refresh token expires?
I've been testing the Dropbox OAuth2 endpoints for a few days and I have read the documentation provided directly by Dropbox. However, it is not clear to me how I'm supposed to handle the acquisition...
- 4 years ago
While Dropbox "short-lived access tokens" do expire automatically, "refresh tokens" do not. When your app gets a refresh token, it can use that to continuously get new short-lived access tokens whenever needed, without further manual user intervention. (The Python SDK actually does that for you automatically.)
So, since Dropbox refresh tokens do not expire automatically they can and should be re-used repeatedly. The app will not receive a new refresh token every time it requests a new short-lived access token. It should just store and continue re-using the same one.
They can be revoked manually though, either by the user (e.g., via https://www.dropbox.com/account/connected_apps ) or the app, at which point the app would need to prompt the user to re-authorize the app if they wish to use it again.
FrustratedUser3
Collaborator | Level 8
Thanks for the response. Just to be sure I'm understanding:
- I need to store the refresh token from the original authentication call.
- When the access token expires, the original refresh token can be used to generate a new access token.
Is that correct? Also, what happens if you lose the refresh token? It doesn't make a lot of sense to force the user to authenticate via URL a second time, but that's the only way I know how to get a new access token without a refresh token using any of the flows. Am I missing something or is that right?
Greg-DB
4 years agoDropbox Staff
Yes, that's correct.
And yes, a refresh token is needed to programmatically retrieve more short-lived access tokens, so if you lose the refresh token you'd need to send the user through the authorization flow again to get a new one.
- FrustratedUser34 years agoCollaborator | Level 8
Got it. Thanks. Do you happen to know where I can read about this in the documentation? I can't find the information you're explaining and I'm not sure how the SDK stores the token or if it's safe. Does it put the token in a plaintext file on the disk somewhere?
- Greg-DB4 years agoDropbox Staff
You can find information on the Dropbox OAuth flow in general in the OAuth Guide and the authorization documentation. The documentation for the OAuth functionality in the Python SDK in particular can be found here.
The Python SDK does not handle the local persistence of access tokens or refresh tokens for you. Local data persistence needs to be handled by the app.
- FrustratedUser34 years agoCollaborator | Level 8
The documentation really should address these issues. It is not obvious how the refresh mechanism works and a few sentences would prevent a lot of confusion. The code example could use a comment as well for the same reason.
"Refresh tokens can be used multiple times to create new tokens." More explanation would be much better, but even something as simple as that would have saved several hours of my time. This detail is not explained anywhere in the documentation and it's not an obvious piece of information considering many oauth refresh token implementations do not work the same way.
About Dropbox API Support & Feedback
Find help with the Dropbox API from other developers.
5,883 PostsLatest Activity: 24 hours agoIf you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X or Facebook.
For more info on available support options for your Dropbox plan, see this article.
If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!