You might see that the Dropbox Community team have been busy working on some major updates to the Community itself! So, here is some info on what’s changed, what’s staying the same and what you can expect from the Dropbox Community overall.
Forum Discussion
blobwriter
4 years agoExplorer | Level 4
OAuth2 w/ refresh tokens for hybrid apps
I have a little Cordova (I know react-native is cool now, but I strongly prefer Vue) app for Android+browser that uses Dropbox for sync, and for both platforms does auth by getting an OAuth2 bearer t...
- 4 years ago
No, such apps are not forced to have the user re-authorize every four hours. Client-side apps like this can request "offline" access to get refresh tokens if needed. There's an example of requesting offline access from a client-side app (a front-end browser app, in this sample) using the official Dropbox API v2 JavaScript SDK here.
The issue with the authorization URL you constructed is that the PKCE flow (which is how client-side apps can get offline access) is a form of the "response_type=code" flow, not "response_type=token".
I recommend letting the SDK build that URL for you, like in the example here. If you do want to build that directly though, you can find the full authorization documentation here.
Greg-DB
Dropbox Staff
No, such apps are not forced to have the user re-authorize every four hours. Client-side apps like this can request "offline" access to get refresh tokens if needed. There's an example of requesting offline access from a client-side app (a front-end browser app, in this sample) using the official Dropbox API v2 JavaScript SDK here.
The issue with the authorization URL you constructed is that the PKCE flow (which is how client-side apps can get offline access) is a form of the "response_type=code" flow, not "response_type=token".
I recommend letting the SDK build that URL for you, like in the example here. If you do want to build that directly though, you can find the full authorization documentation here.
blobwriter
4 years agoExplorer | Level 4
Thanks for the response Greg, always impressed with your responsiveness here.
So I got this working (the PKCE flow). However, having cached the access token in a local storage medium, requests to the Dropbox API the next day are rejected with a 401 error and "expired_access_token".
Ok, so I just have to write a little handler to catch it and ask for a new access_token using the refresh token (also stored). Simple enough. But how do I test this code? Can I request very-short-life-tokens (around 60s) just to test this handler? I know you can manually revoke access_tokens using authTokenRevoke(), but doing that seems to also revoke the associated refresh_token, so doesn't allow for testing of the (expired_access_token+valid_refresh_token) code path.
Edit: it seems that one should just pass the refresh token to the DropboxAuth object (which is, in turn, passed to the Dropbox object at instantiation), and DropboxAuth should(?) magically refresh access_tokens for me without having to write my own code. But just to clarify:
- the refresh_token is not itself single-use right? I don't have to somehow figure out when the DropboxAuth does a token refresh, in order to pull the (possibly new) refresh_token back out and overwrite the old refresh_token in storage?
- Instead, the actual case is that a new refresh_token is only received when you make the dbxAuth.getAccessTokenFromCode() call, using a valid pkce code?
- Greg-DB4 years agoDropbox Staff
There isn't a way to force an access token to expire soon or immediately, but I'll pass this along as a feature request. I can't promise if or when that might be implemented though. So, to test the actual 'expired_access_token' error for any particular new short-lived access token, you would need to wait four hours. (You don't need to wait to test the refresh flow itself though; you can perform a refresh at any point.)
And yes, that's correct, the SDK code will handle the refresh for you, and refresh tokens are not single-use and Dropbox does not return a new refresh token on every refresh, so you don't need to retrieve and store and new refresh token every time. You only get a refresh token once per authorization flow, from getAccessTokenFromCode.
About Discuss Dropbox Developer & API
Make connections with other developers
795 PostsLatest Activity: 2 days agoIf you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X or Facebook.
For more info on available support options for your Dropbox plan, see this article.
If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!