Curious about A, B, C, and D drives? Learn what they mean and how to use them effectively with Dropbox in this handy guide! - check it out now!

Forum Discussion

Vivek_Yadav's avatar
Vivek_Yadav
New member | Level 1
2 months ago

Dropbox OAuth2 Issue: Scope Parameter Handling

According to OAuth2 Authorization documentation, the scope parameter is nullable, and as per RFC 6749, parameters without a value must be treated as omitted, with unrecognized parameters ignored.   ...
API
authentication
DB-Des's avatar
DB-Des
Icon for Dropbox Engineer rankDropbox Engineer
2 months ago

Hi Vivek_Yadav,

Including the scope parameter without value in the Auth URL does omit it and allows authorization to continue.

For example, the following two Auth URLs work without issues:

  • https://www.dropbox.com/oauth2/authorize?client_id=<APP_KEY>&response_type=code&scope
  • https://www.dropbox.com/oauth2/authorize?client_id=>APP_KEY>&response_type=code&scope=

 

In order to further investigate the error you have reported, please reply with:

  • the steps to reproduce the issue, including relevant code snippet(s), but don't include any access or refresh token(s)
  • the full text of any error or unexpected output
Vivek_Yadav's avatar
Vivek_Yadav
New member | Level 1
2 months ago

Hi DB-Des

This happens when we send the token request with grant type as authorization code and empty scope parameter i.e. without a value.
Based on the RFC, Dropbox should be ignoring parameters they don't recognize as valid, not failing the request.
Last para of RFC 6749 - The OAuth 2.0 Authorization Framework

  • Vivek_Yadav's avatar
    Vivek_Yadav
    New member | Level 1
    2 months ago
  • DB-Des's avatar
    DB-Des
    Icon for Dropbox Engineer rankDropbox Engineer
    2 months ago

    Hi Vivek_Yadav 

    The oauth2/token endpoint allows the scope parameter only with a refresh_token because it aligns with OAuth 2.0 standards and best practices.

    When using a refresh token, the scope parameter lets you request a subset of the originally granted permissions, ensuring least-privilege access and better security. For other grant types (such as authorization_code in your example), the scope is determined during the initial authorization process, based on user consent. Allowing the scope parameter in these cases could bypass this consent, potentially introducing security risks.

    Further, RFC 6749 § 4.1.3, does not require the scope parameter, nor does it list it as optional, when using authorization_code as the grant type.

    This restriction ensures compliance with the OAuth specification and helps maintain secure, user-approved access to resources.

    Let us know if you have further concerns.

    • Vivek_Yadav's avatar
      Vivek_Yadav
      New member | Level 1
      2 months ago

      In that case Dropbox should ignore the unrecognized parameter, right??

      I'm trying through setup the OAuth for an application which sends the scope on the token request for all provider, and according to them Dropbox should omit the unrecognized parameter.

       

      • DB-Des's avatar
        DB-Des
        Icon for Dropbox Engineer rankDropbox Engineer
        2 months ago

        Vivek_Yadav,

        I have submitted a request for the team to further investigate the reported issue. We'll follow up here once there is an update.

About Dropbox API Support & Feedback

Node avatar for Dropbox API Support & Feedback
Find help with the Dropbox API from other developers.5,961 PostsLatest Activity: 3 hours ago
356 Following

If you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X or Facebook.

For more info on available support options for your Dropbox plan, see this article.

If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!