We are aware of the issue with the badge emails resending to everyone, we apologise for the inconvenience - learn more here.
Forum Discussion
Can't get PKCE access token uses javascript fetch request
I am trying to utilize the PKCE in a background script of chrome extension example shows the following: curl https://api.dropbox.com/oauth2/token \
-d code=<AUTHORIZATION_CODE> \
-d grant_typ...
yes!
that was the problem
my apologies I missed these arguments in the request URLhowever,
i am now getting the error{error: 'invalid_grant', error_description: 'invalid code verifier'}The URL includes both code_challenge and code_challenge_method
and looks like:https://www.dropbox.com/oauth2/authorize?response_type=code&client_id=<client_id>&code_challenge=<code_challenge>&code_challenge_method=S256
and the parameters sent to oauth2/token are:client_id=<client_id>&grant_type=authorization_code&code=<auth code from dropbox>&code_verifier=<128 char verifier>i also made sure that <code challenge> is a SHA256 hash of <128 char verifier> by testing it at https://emn178.github.io/online-tools/sha256.html
what am i missing?
Greg-DB
Dropbox Staff
Dropbox StaffThanks! That's helpful. I believe I see what's causing this now. Can you check what /oauth2/authorize URL you're using? Since you're trying to use the PKCE flow, you need to include the code_challenge and code_challenge_method parameters. If you don't include those though, this effectively becomes the non-PKCE flow, in which case when you don't supply the client_secret value when calling /oauth2/token, you'll get this "No auth function available for given request" error (since the non-PKCE flow requires the client secret).
So, in order to use the PKCE flow, make sure you're including the code_challenge and code_challenge_method parameters on your /oauth2/authorize URL when retrieving the authorization code.
yes!
that was the problem
my apologies I missed these arguments in the request URL
however,
i am now getting the error
{error: 'invalid_grant', error_description: 'invalid code verifier'}
The URL includes both code_challenge and code_challenge_method
and looks like:
https://www.dropbox.com/oauth2/authorize?response_type=code&client_id=<client_id>&code_challenge=<code_challenge>&code_challenge_method=S256
and the parameters sent to oauth2/token are:
client_id=<client_id>&grant_type=authorization_code&code=<auth code from dropbox>&code_verifier=<128 char verifier>
i also made sure that <code challenge> is a SHA256 hash of <128 char verifier> by testing it at https://emn178.github.io/online-tools/sha256.html
what am i missing?
- Greg-DB
The S256 method can be difficult to implement exactly correctly in code, and that tool you linked to is made by a third party so I can't say if it's producing exactly the format required for the OAuth 2 flow. You can refer to the code in the official Dropbox API v2 JavaScript SDK where this is done though. Alternatively, you could use the "plain" method (where the code challenge is just the code verifier) instead.
By the way, I don't know exactly what was contained in the cookies in the screenshot you posted, and I redacted them from the image anyway, but just to be safe, you may want to delete any old web browser sessions, as well as sign out of your current one, to invalidate any such cookies.
plain works well
thanks
the example given at https://dropbox.tech/developers/pkce--what-and-why- refers to node.js and is not valid in browsers
can you please show an example that will be valid in such environment as browsers?
thankswill check it
thanks for your help, it is much appriciated!
About Dropbox API Support & Feedback
Find help with the Dropbox API from other developers.
