You might see that the Dropbox Community team have been busy working on some major updates to the Community itself! So, here is some info on what’s changed, what’s staying the same and what you can expect from the Dropbox Community overall.

Forum Discussion

giovaniluigi's avatar
giovaniluigi
Explorer | Level 3
3 years ago

Intermittent "code has expired", on authorization with .NET SDK

I have integrated Dropbox into a software running on a touch-screen kiosk type Win10 machine, using the provided .NET SDK.

 

Because a web browser is not available, the user has to generate a Dropbox authorization code in his Desktop computer, and then type the long received code into our software, so that the SDK can exchange the authorization code by a token.

 

To get the token I am using:

 

await DropboxOAuth2Helper.ProcessCodeFlowAsync(authorizationCode, appKey, appSecret);

 

 

With the received token, I am then building an instance of the client:

 

var client = new DropboxClient(token, new DropboxClientConfig() { HttpClient = client });

 

 

However, on average,  2 out of 3 attempts will thrown an OAuth2Exception with message: invalid_grant and error description: code has expired (within the last hour)

Sometimes, after successful authentication the token seems to get revoked by the server after a while.

 

These machines are running on older version of Win10 (from 2015/2016) and cannot be updated.
Recently I have updated them to use TLS 1.2.

 

This has been going on since I integrated, more than an year, and recently seems to happen more and more frequently.

  • Scott-DB's avatar
    Scott-DB
    3 years ago

    Hi @giovaniluigi,

     

    Dropbox is in the process of switching to only issuing short-lived access tokens (and optional refresh tokens) instead of long-lived access tokens. You can find more information on this migration here.

     

    It seems though more at issue is the exchange a code for a token. If I understand correctly, all codes must be transferred manually from the computer to your kiosk, and so it's possible your users are sometimes taking more than the five minutes these tokens are valid for. In addition, if they don't type it in exactly correctly then it won't work.

     

    Your use case sounds like what the OAuth 2.0 Device Authorization Grant was designed for. However currently Dropbox does not offer this flow. I will however bring this up with our team to see if we can in the future.

  • Здравко's avatar
    Здравко
    Legendary | Level 20

    giovaniluigi wrote:

    ...

    Sometimes, after successful authentication the token seems to get revoked by the server after a while.

    ...


    Hi giovaniluigi,

    You should take in mind that all new access tokens are short lived access tokens (you can distinguish them with starting "sl."). Despite an existing long lived access token can still be used (if you kept any), new cannot be issued anymore (they are deprecated some time ago and issuing dropped already). If you want processing within your application, without user disturb for re-authentication, refresh token should be used. The refresh token doesn't expire itself (till explicit revoke). You are constructing your Dropbox client object using access token alone (with the constructor here)! That's where your issue is coming from - access token can alive for 4 hours, at most. Use another constructor (suitable in your case) that relies on refresh token instead. 😉

    Good luck.

    • giovaniluigi's avatar
      giovaniluigi
      Explorer | Level 3

      Thanks Здравко  for your answer on that problem. I imagined the temporary revoke would be a problem related to the time limit mentioned in recent posts, but I thought the SDK would still work.

      These are breaking changes... We don't see that often these days.

       

      Now that still does not answer the issue while trying to exchange authorization code by token.
      That one is currently my biggest issue.
      I don't see how a server that issues an authorization code, would say that this same code has expired a few seconds after generating it.
      To me that is non-sense. But that is what the SDK says on the exception.

       

      • Здравко's avatar
        Здравко
        Legendary | Level 20

        giovaniluigi wrote:

        ... I imagined the temporary revoke would be a problem related to the time limit mentioned in recent posts, but I thought the SDK would still work.

        These are breaking changes... We don't see that often these days.

        ...


        😯 Wow... If you have seen that is less than 100% after 4 hours... 🙂 You have discovered something like perpetuum-mobile. 😁 But while working for you it's Ok.

         

        About the rest. 🤔 Some piece of code reproducing the issue (piece that can be compiled and run) would be a good start point. Let's hope there is somebody here able to direct you through once there is a example to evaluate.