Re: How to make sure clients dont misuse access tokens provided to them?

Andreas D.8 · ‎02-16-2015

I want to develop a Dropbox Desktop app that would retrieve an access token via a web service (which in turn would perform OAuth2 authentication and then give the user a magic key that he can enter in his desktop app to retrieve a valid access token) and store this access token on the client's machine (so that the client can acess the Dropbox API without going through the backend of my service). Now, as the client has access to the token (or at least could extract it from the application), he could make calls to the API himself and possibly misuse this by performing e.g. too many calls. Since the access token will be associated to my application it could lead to a ban I imagine. Is there any way to make sure that users don't misuse access tokens provided to them, or to monitor usage of individual tokens and possibly revoke them?

Richard P. · ‎02-16-2015

Run your own web service and tunnel all Dropbox access via that. Other than that, if both the application token and the client token is available to me locally, there's absolutely nothing you can do to stop me extracting and using them. You have already put them in an environment you cannot control, so there is nothing you can do to ultimately secure them from a determined attacker.

Andreas D.8 · ‎02-16-2015

Thanks, but how are other desktop apps handling this? Tunneling the traffic through my service seems a bad choice to me since it will create a lot of extra cost and pose an additional security risk for the client (since his/her data is passing through another third-party service before going to Dropbox).

Richard P. · ‎02-16-2015

Other desktop apps probably aren't worrying about it - its no different to the situation with Android apps etc in reality. If someone wants your app key, then when its on a users device its trivial to get at.

Data going through your service wouldn't be a security issue, as they are already fine with it going through your app and your app could be doing anything at all. But yes, it would be expensive - but thats the trade off.

Andreas D.8 · ‎02-16-2015

OK I see, just wanted to know how other people handle this, as you said it's the same issue for Android apps etc. I think this problem can't be solved using the normal OAuth2 flow, since what would be needed is a way to authorize individual requests of the client trough the my backend (i.e. client asks backend to allow him to call a given endpoint URL through the Dropbox API, the backend requests authorization for this from the Dropbox API and sends the client a one-time access code for this). Rate-limiting of individual client access tokens would be another solution I guess.

So, final question: Is it considered acceptable to provide a desktop application with an access token obtained through the API then?

Greg-DB · ‎02-17-2015

For reference, the Dropbox API does have a rate limiting system, but it is per-user, so you don't need to worry about a single user getting your entire app (and other users) rate limited.

And yes, it is normal and acceptable that desktop apps will handle the user's access token locally.