You might see that the Dropbox Community team have been busy working on some major updates to the Community itself! So, here is some info on what’s changed, what’s staying the same and what you can expect from the Dropbox Community overall.
Forum Discussion
pcworld
8 years agoExplorer | Level 3
Exposing client_secret when only implicit grant is used
I am the developer of an API v1 app that I'm in the process of migrating to API v2 and OAuth 2. For security and privacy reasons, the users' auth tokens are never sent to any third party servers (i....
Greg-DB
8 years agoDropbox Staff
Hi,
"the /token/from_oauth1 API call, which however requires the client_secret (I don't understand why though)"
The /2/auth/token/from_oauth1 endpoint is an API v2 endpoint and isn't signed using the normal OAuth 1 protocol, but it does require all four token pieces (app key, app secret, access token key, access token secret) in order to maintain the same authentication requirements as an actual OAuth 1 call.
"I only use the implicit grant flow. Would there be any security implications if I exposed the client_secret in order to perform the from_oauth1 call client-side"
I can't offer general security advice, so if you have any security questions, you should contact a security professional.
That said, you're correct that the app secret is used by the OAuth 2 "code" flow (and not the "token" a.k.a. "implicit" flow). With both the app key and secret, an attacker may be able to convince the user to give them an access token for their account and your app by using the "code" flow without a redirect URI.
The app secret is also used to sign webhook notifications.
"my app currently exposes the old API v1 "key" (there was no way avoiding that without using a third party server for authentication). Can the current client_secret be derived from this? "
No, the app secret cannot be derived from the app key. The app key is generally considered public, so it's ok to expose it.
Hope this helps!
About Dropbox API Support & Feedback
Find help with the Dropbox API from other developers.
5,910 PostsLatest Activity: 3 days agoIf you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X or Facebook.
For more info on available support options for your Dropbox plan, see this article.
If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!