cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community
English
Announcements
Want to know more about how you can find anything and protect everything? Check it out here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Using refresh token without client secret

Labels:

Using refresh token without client secret

johannesjo
Helpful | Level 5
‎03-16-2022 12:54 PM
Go to solution

I am using the PKCE flow for my electron based desktop & web app app and am trying to migrate for the new short lived tokens everywhere flow. I am able to get a refresh token by providing

token_access_type=offline

Now I am wondering how I can request a new accessToken without exposing my APP_SECRET (https://www.dropbox.com/developers/documentation/http/documentation#oauth2-token).

Is there a way to do so?

Labels:
  • 0 Likes
  • 4 Replies
  • 2,041 Views
0 Likes
1 Accepted Solution

Accepted Solutions

Greg-DB
Dropbox Staff
‎03-16-2022 01:58 PM
Go to solution

Yes, the PKCE flow in particular is a version of the OAuth 2 authorization flow that doesn't require the app secret, meant for client-side apps where an app secret can't be kept secret. It does so by using a 'code_challenge' on the /oauth2/authorize step and corresponding 'code_verifier' on the following /oauth2/token step, instead of the app secret. Likewise, it does not require the app secret when performing a refresh call. You can find more information in the OAuth Guide and authorization documentation.

 

Specifically, the /oauth2/token request using a refresh token that was retrieved via the PKCE flow to get a new short-lived access token without using the app secret would look like this:

curl https://api.dropbox.com/oauth2/token \
    -d refresh_token=<REFRESH_TOKEN> \
    -d grant_type=refresh_token \
    -d client_id=<APP_KEY>

 

View solution in original post

4 Replies 4

Greg-DB
Dropbox Staff
‎03-16-2022 01:58 PM
Go to solution

Yes, the PKCE flow in particular is a version of the OAuth 2 authorization flow that doesn't require the app secret, meant for client-side apps where an app secret can't be kept secret. It does so by using a 'code_challenge' on the /oauth2/authorize step and corresponding 'code_verifier' on the following /oauth2/token step, instead of the app secret. Likewise, it does not require the app secret when performing a refresh call. You can find more information in the OAuth Guide and authorization documentation.

 

Specifically, the /oauth2/token request using a refresh token that was retrieved via the PKCE flow to get a new short-lived access token without using the app secret would look like this:

curl https://api.dropbox.com/oauth2/token \
    -d refresh_token=<REFRESH_TOKEN> \
    -d grant_type=refresh_token \
    -d client_id=<APP_KEY>

 

johannesjo
Helpful | Level 5
‎03-18-2022 09:41 AM
Go to solution

Thanks for the quick response. Unfortunately this leads to an `invalid_request` error (400):
```

The request parameters do not match any of the supported authorization flows. Please refer to the API documentation for the correct parameters.

```

0 Likes

johannesjo
Helpful | Level 5
‎03-18-2022 09:44 AM
Go to solution

Never mind! I had the wrong Content-Type header set. Seems to work fine now. Thank you very much!

 

Maybe this should be added to the documentation under the examples section?

0 Likes

Greg-DB
Dropbox Staff
‎03-18-2022 10:33 AM
Go to solution

Thanks for following up. I'm glad to hear you got this working.

 

Yes, I've asked the team to add that example to the documentation.

Need more support?
Who's talking

Top contributors to this post

  • User avatar
    Greg-DB Dropbox Staff
  • User avatar
    johannesjo Helpful | Level 5
What do Dropbox user levels mean?