We are aware of the issue with the badge emails resending to everyone, we apologise for the inconvenience - learn more here.

Forum Discussion

dbox-arg0's avatar
dbox-arg0
Explorer | Level 4
2 years ago

Login to Dropbox from browser extension on Chrome

I'm using this fragment of code for OAuth URL:     self.m_dbxAuth.getAuthenticationUrl( self.m_fullReceiverPath, // [redirectUri] undefined, // [state] To help prevent cross...
  • Здравко's avatar
    Здравко
    2 years ago

    dbox-arg0 wrote:

    ...

    One bad thing: I still can't re-use the login code if I reload the page. I assume I'm doing something wrong, please see these steps

    ...


    Hi dbox-arg0,

    This isn't a bad thing, it's a normal thing - according the specification. The code you're receiving is "one shot" type - you can use it once and forget it. Where do you read that you would need it further?! 🧐 Wherever is this - it's wrong! 🤫

     


    dbox-arg0 wrote:

    ...

    3. Down the line this gets to the call getAccessTokenFromCode(), this returns a refresh token. Then the extension can access the files in my Dropbox folders

    ...


    Nice... 😇 That's exactly what you need, but where do you keep the received "refresh token" (the only token that never expire or until explicit revoke)? 🤔 If you forgot it here, you won't be able refresh your access token later (after the access token expires)!!!

     


    dbox-arg0 wrote:

    ...

    5. I have my login code 40h...tbG5pCng in local browser storage, so the first function I call is getAccessTokenFromCode() with it, and I get HTTP 400. Why just seconds ago this gave me a refresh token and now I got 400. In the broswer I can see that the URL is exactly the same as used in step 3 above.

    ...


    I hope you already know what's going wrong here. 😉 If not, take a look above once again.

     


    dbox-arg0 wrote:

    ...

    (Another question, I also get an access token, not only a refresh token, why is that, do I have to use it?)

    ...


    If you aren't using the refresh token in any way, why have you selected offline access? Do you really need offline access or not exactly? It's possible to implement your access in both ways. It's matter of your design decision. Read the resources, that Greg did link to above, once again and make your consistent decision - don't try mix different decisions.