dropbox.exceptions.AuthError: expired access token

af11 · ‎02-27-2022

When I run an app I developed, I get an error.

dropbox.exceptions.AuthError: AuthError('89ade68e26bd49d592d01bfbfae5659b', AuthError('expired_access_token', None))

What could be wrong with my OAuth code?


def oauth_flow():
    return DropboxOAuth2Flow(
        APP_KEY,
        'https://dropbox-notifications.herokuapp.com/oauth-callback',
        session,
        'dropbox-auth-csrf-token',
        APP_SECRET
    )

@app.route('/oauth-callback')
def oauth_callback():
    auth_result = oauth_flow().finish(request.args)
    access_token = auth_result.access_token
    account = auth_result.account_id

    redis_client.hset('tokens', account, access_token)

    process_user(account)

    return redirect(url_for('done'))

@app.route('/login')
def login():
    return redirect(oauth_flow().start())

Thank you

Greg-DB · ‎02-28-2022

That's correct, Dropbox is in the process of switching to only issuing short-lived access tokens (and optional refresh tokens) instead of long-lived access tokens. You can find more information on this migration here.

Apps can still get long-term access by requesting "offline" access though, in which case the app receives a "refresh token" that can be used to retrieve new short-lived access tokens as needed, without further manual user intervention. You can find more information in the OAuth Guide and authorization documentation.

For reference, while the creation of new long-lived access tokens is now deprecated, we don't currently have a plan to disable existing long-lived access tokens. (If that changes, we will of course announce that ahead of time.) That being the case, you can continue using existing long-lived access token(s) without interruption, if you have any. Also, note though that after the change you won't be able to create new long-lived access tokens.

While the change began on September 30th 2021, we're releasing it gradually, so you may not have seen your app(s) affected until now. Once it applies to your app, it would apply regardless of the "Access token expiration" setting for your app, and that setting may no longer be available for your app.

You can find an example of getting and setting the refresh token with the Dropbox API v2 Python SDK here.

View solution in original post

Здравко · ‎02-27-2022

Hi @af11,

At present all access tokens expire after 4 hours. In your example you are relying on access token only without refresh token! If you want prolong your access without additional user interaction, code has to query 'offline' token type and you should care for the 'refresh_token' within result too, aside of 'access_token'. By default the refresh token doesn't expire. Use it in client object initialization too.

Greg-DB · ‎02-28-2022

That's correct, Dropbox is in the process of switching to only issuing short-lived access tokens (and optional refresh tokens) instead of long-lived access tokens. You can find more information on this migration here.

Apps can still get long-term access by requesting "offline" access though, in which case the app receives a "refresh token" that can be used to retrieve new short-lived access tokens as needed, without further manual user intervention. You can find more information in the OAuth Guide and authorization documentation.

For reference, while the creation of new long-lived access tokens is now deprecated, we don't currently have a plan to disable existing long-lived access tokens. (If that changes, we will of course announce that ahead of time.) That being the case, you can continue using existing long-lived access token(s) without interruption, if you have any. Also, note though that after the change you won't be able to create new long-lived access tokens.

While the change began on September 30th 2021, we're releasing it gradually, so you may not have seen your app(s) affected until now. Once it applies to your app, it would apply regardless of the "Access token expiration" setting for your app, and that setting may no longer be available for your app.

You can find an example of getting and setting the refresh token with the Dropbox API v2 Python SDK here.

Johnson9070 · ‎03-23-2022

Hi Greg,
i can't get this to work.
i run:
=========================================================================
import dropbox
from dropbox import DropboxOAuth2FlowNoRedirect
APP_KEY = "4x7l7q37wevf5co"
APP_SECRET = "<redacted>"
auth_flow = DropboxOAuth2FlowNoRedirect(APP_KEY,
consumer_secret=APP_SECRET,
token_access_type='offline',
scope=['files.metadata.read'])
authorize_url = auth_flow.start()
print("1. Go to: " + authorize_url)
print("2. Click \"Allow\" (you might have to log in first).")
print("3. Copy the authorization code.")
auth_code = input("Enter the authorization code here: ").strip()
try:
oauth_result = auth_flow.finish(auth_code)
# Oauth token has files.metadata.read scope only
assert oauth_result.scope == 'files.metadata.read'
except Exception as e:
print('Error: %s' % (e,))
exit(1)
with dropbox.Dropbox(oauth2_access_token=oauth_result.access_token,
oauth2_access_token_expiration=oauth_result.expires_at,
oauth2_refresh_token=oauth_result.refresh_token,
app_key=APP_KEY,
app_secret=APP_SECRET):
print("Successfully set up client!")
=========================================================================
I get 'Successfully set up client!'
Where do i go from here ?
I'm developping an app which downloads it's config files from dropbox at the start. At the moment i need to regenerate the token every 4h ....
Any advantages for this kind of project if i take the business dropbox ?
Cheers ? John

Greg-DB · ‎03-23-2022

If you're getting "Successfully set up client" from that code, that indicates you've processed the app authorization flow and should now have the necessary credentials, so you can use that dropbox.Dropbox object to make calls. That particular example just shows the authorization flow, but you can save that object like 'with dropbox.Dropbox(<credentials as shown>) as dbx' or 'dbx = dropbox.Dropbox(<credentials as shown>)' and then use the 'dbx' object to make whatever API calls you need. As long as you give it those credentials and the credentials are still valid, the SDK will perform the refresh for you automatically.

Johnson9070 · ‎03-26-2022

Hi Greg,

Does this mean that the user gets the logon window to authorize each time ?

Cheers , John

Здравко · ‎03-26-2022

@Greg-DB wrote:
... and then use the 'dbx' object to make whatever API calls you need. As long as you give it those credentials and the credentials are still valid, the SDK will perform the refresh for you automatically.

@Johnson9070, If there is automatic access token refresh, why are you thinking that authorization would be ever need anew (I assume wouldn't explicitly revoked somehow)?! 🤷 Refresh token doesn't expire itself, despite regular access token expire after 4 hours. Whenever needed the SDK will take care to "refresh" regular access token using the refresh token. 😉 That's it. It's up to you to call method(s) needed to perform desired action in your application; nothing more once authenticated already.

Good luck.

Johnson9070 · ‎03-26-2022

Hi ,

I'm relatively new at python.

At the moment i log on like this:

def Dropbox_logon(self):
    self.dbx = dropbox.Dropbox(self.token)
    x = self.dbx.users_get_current_account()
    print('Logon ok')

I'm a bit lost how to write this with the auth flow.

Здравко · ‎03-26-2022

🤔 To be honest, I'm not sure what exactly you are looking for.

You have OAuth flow completed already and received corresponding authentication info (oauth_result.access_token, oauth_result.expires_at, and oauth_result.refresh_token); take a look on your post above. You can keep this entire information in the same way you do for your access token (the only thing seems you are keeping now). You can have fields like 'self.access_token', 'self.expires_at', and 'self.refresh_token' in your class (for example), instead of 'self.token' only. Isn't it? 😉 So, when you build a Dropbox client, like in your last post, you can perform it the same way like in your previous post.

What confused you actually and so you have wiped out the correct initialization? 🤷 Just take one more look on your own post above! If need learn little more the basic Python syntax.

Hope this gives some direction.

marksmithhfx · ‎03-29-2022

I see in the documentation it says this "If the <token_access_type> is omitted, the response will default to returning a long-lived access_token if they are allowed in the app console. If long-lived access tokens are disabled in the app console, this parameter defaults to online". When I looked in the app console I could find a reference to long lived access tokens but, in another part of the documentation it shows a screen that has an "access token expiration (with options for short and long lived)" underneath the option to Generate Access Token. I do not see that on my screen however (ie. nothing underneath Generate Access Token to indicate the expiration period). I too need to dish out long lived access tokens to my users. Thanks for any clarification you can provide. PS both pieces of information were taken from documentation on the DropBox website today (under documentation). Thanks

dropbox.exceptions.AuthError: expired access token

dropbox.exceptions.AuthError: expired access token

Top contributors to this post