You might see that the Dropbox Community team have been busy working on some major updates to the Community itself! So, here is some info on what’s changed, what’s staying the same and what you can expect from the Dropbox Community overall.
Forum Discussion
Dropbox for Business API Access token login process.
Hi There. I have an iOS apllication written in Objective-C. I have successfully integrated Dropbox API in my app and I can upload and download data from dropox even using the Access Token for it. ...
If you have a Dropbox Business API access token for an app with the "team member file access" permission and want to programmatically access a specific member's account using the Dropbox Objective-C SDK, you should use the DBTeamClient userClientWithMemberId: method. That will give you a DBUserClient you can use to access the user methods, such as listFolder. (It sets the "Dropbox-API-Select-User" header mentioned in the error message you shared.)
That would look like this:
DBTeamClient *teamClient = [[DBTeamClient alloc] initWithAccessToken:ACCESS_TOKEN]; DBUserClient *userClient = [teamClient userClientWithMemberId:memberID]; [[userClient.filesRoutes listFolder:path] setResponseBlock...
The member ID would be the team member ID (which starts with "dbmid:"). You can get those from membersList/membersListContinue, for instance.
Also, note that client-side applications, such as on iOS, can't keep secrets, such as access tokens, from a malicious user. For that reason, we don't recommend sharing/hard-coding access tokens in client-side applications. For example, in your described scenario, one team member could potentially extract the access token and use it to access another member's account.
Greg-DB
Dropbox Staff
Dropbox StaffYou can list all of the members of a team using membersList/membersListContinue. The result will contain each member's team member ID. You can also look up a specific member by email address or external ID using membersGetInfo.
A team member ID itself only identifies a particular member's account on a team. It doesn't itself give access to that member's account. You would need an access token to access an account. An access token for a "Dropbox Business API" app, such as you are using based on the output you shared previously, is for the entire Business team.
Using a Dropbox Business API access token for an app with the "team member file access" permission, you can specify the particular team member account you want to access in particular by specifying the team member ID as in the code in my previous comment. (This is the "member file access" feature documented here.)
End-users generally don't know, and don't have a way in the Dropbox UI, to access their own team member ID. This is something the Business API app should do for them (for instance, using the methods I described at the beginning of this message).
Anyway, since a Dropbox Business API access token enables access to the entire team, we don't recommend distributing it to every team member in client-side applications. It is generally meant to be used server-side, where it can be protected.
I have a similar question, But my use case is a bit different. let me explain what I am trying to do.
Once the admin has authorized the application and generated the access token. then I want my users/members to log in to their account in my application so that they can only access their data. I am using JavaScript SDK and I know there's a method `actAsUser(userId)` present in SDK for this. What I am doing is, I ask the member for their email, once they enter their email, I look up for the id using the teamMembersGetInfo method using that email. I pass the Id to 'actAsUser' method.
But there's an issue with this approach. Email id is a public thing any of the team members can put other member's email and they can act as that member.
for example: my email is zain@xyz.com. so any team member can put my email there and they can act as zain@xyz.com.
So my question is, is there some way using which I can authenticate the users?
- Greg-DB
zainulabideen No, authentication happens before the access token is retrieved, so if the client already has the access token, there isn't any further Dropbox account authentication. If you want to use the Dropbox Business API like this to connect to the entire team but let any arbitrary member use the integration, you'll need to enforce some additional layer of authentication in your own app's logic to enforce whatever access control you need. And, as above, you also shouldn't expose the access token to the client of any untrusted member.
Instead, if you want to authenticate each Dropbox user instead, you may prefer to use the Dropbox API, (e.g., with the Full Dropbox or App Folder permission) where each user authenticates and authorizes the app to access their own account only.
About Dropbox API Support & Feedback
Find help with the Dropbox API from other developers.
