We're making changes to the Community, so you may have received some notifications - thanks for your patience and welcome back. Learn more here.
Forum Discussion
Authorization via copy/paste of OAuth2 access token?
PfP: Pain-free Passwords is normally used as a browser extension, but I also provide a web client. That web client is supposed to be downloaded and run from local file system, so there is no real redirect URI to receive the authorization token. With Google Drive, a special urn:ietf:wg:oauth:2.0:oob URI can be specified as redirect URI. This will produce a page with the authorization code that the user can copy manually and paste into the application - that's the only way authorization can work in my case. Does Dropbox provide functionality like that? If not, could it be added maybe?
Of course, I could put up a page on my website that will display the authorization token to the user. However, this means that users have to trust my website. The very point of downloading the web client is that they don't need to trust the server.
- That's correct, the client secret is required for the code flow.
If you want to use the token flow, you can use response_type=token and redirect_uri=https://www.dropbox.com/1/oauth2/display_token (as long as you register "https://www.dropbox.com/1/oauth2/display_token" for your app). The token flow doesn't require the client secret, and the display_token page will just show the access token itself to the user for copy/pasting it.
- Greg-DB
Dropbox Staff
Yes, if you use response_type=code and omit the redirect_uri parameter entirely, Dropbox will display the authorization code to the user on the Dropbox web site so they can copy/paste it.- I'll try that. So far I didn't test the code flow because my understanding is that using client secret isn't optional then. This is suboptimal in my case given that the web client cannot keep secrets. Google Drive allows omitting the client secret for client-only applications.
- Greg-DBThat's correct, the client secret is required for the code flow.
If you want to use the token flow, you can use response_type=token and redirect_uri=https://www.dropbox.com/1/oauth2/display_token (as long as you register "https://www.dropbox.com/1/oauth2/display_token" for your app). The token flow doesn't require the client secret, and the display_token page will just show the access token itself to the user for copy/pasting it.
