Forum Discussion

Helpful | Level 6

6 years ago

OAuth2 issues with Dropbox and Xamarin.Auth

I have Xamarin.Auth working with Google drive on Android/iOS/UWP, and I want to add support into my app for Dropbox. Xamarin.Auth is nice because I only have to write the code once, and it handles a ...

API

PaulELong
6 years ago
I found the solution, but to answer your question first, the text is output from a sniffer trace showing the HTTP Get request.
And you are right, in that the second response_type and client_id are a duplication. It confused me and at first I thought it was the HTTP body. One thing I didn't understand is that GetAuthorizeUri returns the URL plus the params. Xamarin.Auth requires just the URL, so I can just send "https://www.dropbox.com/oauth2/authorize", and I won't call GetAuthorizeUri at all, since OAuth2Authenticator takes care of building the request.
The reason there were two response_types where one was code type rather than token type was because I supplied the AccessTokenURL to OAuth2Authenticator, which is not needed in the case of token flow, as I understand. Since I started with a dropbox API example for .NET and then plugged in each into the OAuth2Authenticator call, I mistakenly sent an AccessTokenUrl. I found out from looking at the Xamarin code, if AccessTokenUrl==NULL will assume the implict flow (token flow). Interestingly, and as a note to help others, I tried setting the AccessTokenUrl to null, which caused an exception. Instead I found this version worked and now I'm authenticating.
authenticator = new Xamarin.Auth.OAuth2Authenticator( clientId: ApiKey, scope: "", authorizeUrl: new Uri("https://www.dropbox.com/oauth2/authorize"), redirectUrl: new Uri(RedirectUri), isUsingNativeUI: false) ;
Hope this information helps somebody else trying to get Xamarin.Auth working with Dropbox.

Greg-DB

Dropbox Staff

The /oauth2/authorize location is a web page, and you should just be sending the user there in their browser, so the browser should just make a GET request to it. There shouldn't be a body for that HTTP GET request, nor would Dropbox use any parameters sent in the body. The URL parameters on the URL path itself are used.

PaulELong

Helpful | Level 6

6 years ago

You mentioned above that "it's true that in the Dropbox OAuth 2 implementation, as a security feature, when using the "code" flow, the redirect URI (if provided) must start with https:// (except for localhost addresses)." And then you mention "use the "token" flow instead". What I'm showing you above is that the GET request my app sends has set the parameter response_type=token as per the documentaiton link you provided above.

However, the result is that dropbox returns and error stating "Invalid redirect_uri. When response_type=code, redirect_uri must start with "https://", unless it's a localhost URI."

Why am I getting this message?

Greg-DB
Dropbox Staff
6 years ago
I'm not sure exactly what you were outputing for that GET request. Can you clarify exactly what you're logging and what is actually being sent to Dropbox? In your sample you repeated the 'response_type' parameter, which isn't expected. It's unclear if that's repeated in the URL parameters themselves, or if one is in the URL parameters and one is in the request body, for instance.

Here are a few examples I just put together for reference, based on your output above, using your deep link redirect URI. You can try them directly in your browser by clicking on them.

This is a valid /oauth2/authorize URL for the token flow:
https://www.dropbox.com/oauth2/authorize?response_type=token&client_id=aa0sxbl9gon603m&redirect_uri=com.paulyshotel.testcloud%3A%2F%2Foauth2rediect%2F&state=c4045458ac394ad78752fad786151f5e
Dropbox allows this configuration.

This is an invalid /oauth2/authorize URL for the code flow:
https://www.dropbox.com/oauth2/authorize?client_id=aa0sxbl9gon603m&redirect_uri=com.paulyshotel.testcloud%3A%2F%2Foauth2rediect&scope=&response_type=code
Dropbox rejects this configuration with "Invalid redirect_uri. When response_type=code, redirect_uri must start with "https://", unless it's a localhost URI.".

This is an invalid /oauth2/authorize URL:
https://www.dropbox.com/oauth2/authorize?response_type=token&client_id=aa0sxbl9gon603m&redirect_uri=com.paulyshotel.testcloud%3A%2F%2Foauth2rediect%2F&state=c4045458ac394ad78752fad786151f5e?client_id=aa0sxbl9gon603m&scope=&response_type=code
This is invalid, because you're supplying the 'client_id' and 'response_type' parameters twice, and since you're supplying an unexpected/undocumented 'scope' parameter. Dropbox rejects this configuration with "Invalid redirect_uri. When response_type=code, redirect_uri must start with "https://", unless it's a localhost URI." (Also, in your output your redirect URI was also specified twice, but I removed that for the sake of simplicity.)

If you do supply the 'response_type' parameter twice, it appears Dropbox will use the second one. (This isn't guaranteed though; supplying a single parameter twice is unexpected and the behavior should be considered undefined. Accordingly, please make sure you don't do so.) That may have been what was resulting in the confusing result, so please make sure you're only supplying each parameter once.
- PaulELong
  Helpful | Level 6
  6 years ago
  I found the solution, but to answer your question first, the text is output from a sniffer trace showing the HTTP Get request.
  And you are right, in that the second response_type and client_id are a duplication. It confused me and at first I thought it was the HTTP body. One thing I didn't understand is that GetAuthorizeUri returns the URL plus the params. Xamarin.Auth requires just the URL, so I can just send "https://www.dropbox.com/oauth2/authorize", and I won't call GetAuthorizeUri at all, since OAuth2Authenticator takes care of building the request.
  The reason there were two response_types where one was code type rather than token type was because I supplied the AccessTokenURL to OAuth2Authenticator, which is not needed in the case of token flow, as I understand. Since I started with a dropbox API example for .NET and then plugged in each into the OAuth2Authenticator call, I mistakenly sent an AccessTokenUrl. I found out from looking at the Xamarin code, if AccessTokenUrl==NULL will assume the implict flow (token flow). Interestingly, and as a note to help others, I tried setting the AccessTokenUrl to null, which caused an exception. Instead I found this version worked and now I'm authenticating.
  authenticator = new Xamarin.Auth.OAuth2Authenticator( clientId: ApiKey, scope: "", authorizeUrl: new Uri("https://www.dropbox.com/oauth2/authorize"), redirectUrl: new Uri(RedirectUri), isUsingNativeUI: false) ;
  Hope this information helps somebody else trying to get Xamarin.Auth working with Dropbox.

About Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.5,918 PostsLatest Activity: 2 days ago

If you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X or Facebook.

For more info on available support options for your Dropbox plan, see this article.

If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!

Forum Discussion

OAuth2 issues with Dropbox and Xamarin.Auth

About Dropbox API Support & Feedback

Related Content

How can I check my storage on Dropbox?

The Dropbox tray gets duplicated every time I click on the Dropbox icon (bugged)

Dropbox error- Couldn't start dropbox

Re: Dropbox Business Account set up. Not sure about merging your own content.

How to use Dropbox Sign in person?

Recent Discussions

Token expiration

Error creating shared link from API (Python)

Randomness issue coming from dropbox - Facing issue in Image Upload

Embedding Replay works fine, BUT....

Dropbox API randomly unreachable Australia