Forum Discussion

Collaborator | Level 9

3 years ago

Unclear about PKCE and .NET SDK

Hi, Firstly, I'm getting 404's on all your documentation at the moment, so I'm unable to look it up. e.g. the link https://dropbox.github.io/dropbox-sdk-dotnet/html/M_Dropbox_Api_Files_Routes_...

API

donaldp
3 years ago
Hi again Greg-DB ,

I've been reading through the doco, and I've found what's confusing me...

In the examples you've given, a RedirectURI is being used, but I'm not using that - I'm not launching the browser from the app, I'm just going directly to the authorise link from a shortcut in the browser and then copying the code into the app. So I'm not doing the steps from lines 183-198, I'm picking up the process from line 199 - ProcessCodeFlowAsync, and I've been doing this "ProcessCodeFlowAsync(Code,APIkey,AppSecret)".

But the info for that says...

"
Processes the second half of the OAuth 2.0 code flow. Uses the codeVerifier created in this class to execute the second half.

Declaration
public Task<OAuth2Response> ProcessCodeFlowAsync(string code, string appKey, string redirectUri = null, HttpClient client = null)
"
So, since the RedirectURI is optional, and I've opted out, that looks to me like I can just call ProcessCodeFlowAsync(code,appkey) and that's it? Don't need to use the secret at all now?

Ah! I think I have it now (in fleshing this out a bit). I've used DropboxOAuth2Helper.ProcessCodeFlowAsync(Code,APIkey,AppSecret) to date, but now I would use PKCEOAuthFlow.ProcessCodeFlow(Code,APIKey) and the rest is done automagically? The same method name in 2 different classes had me thinking it was the exact same method, and thus the confusion. I think I just need to convert to using the latter instance now?

thanks,
Donald.

Greg-DB

Dropbox Staff

The .NET SDK documentation is currently available here. Click the "API Documentation" link at the top to access specific classes/methods.

The PKCE flow is the right thing to use for client-side apps, such as desktop apps. The SDK will still do most of the work for you. You can find an example of using the PKCE flow with the .NET SDK here. For instance, here's where where you start the flow and have the SDK build the authorization URL (without the app secret; it handles the PKCE code verifier/secret automatically internally for you), and here's the line where it processes the result to return the access token and refresh token. From there, you can make a client (with the refresh token and app key, but not app secret) and the SDK will handle the refresh process for you automatically.

donaldp

Collaborator | Level 9

3 years ago

Hi again Greg-DB ,

I've been reading through the doco, and I've found what's confusing me...

In the examples you've given, a RedirectURI is being used, but I'm not using that - I'm not launching the browser from the app, I'm just going directly to the authorise link from a shortcut in the browser and then copying the code into the app. So I'm not doing the steps from lines 183-198, I'm picking up the process from line 199 - ProcessCodeFlowAsync, and I've been doing this "ProcessCodeFlowAsync(Code,APIkey,AppSecret)".

But the info for that says...

"

Processes the second half of the OAuth 2.0 code flow. Uses the codeVerifier created in this class to execute the second half.

Declaration

public Task<OAuth2Response> ProcessCodeFlowAsync(string code, string appKey, string redirectUri = null, HttpClient client = null)

So, since the RedirectURI is optional, and I've opted out, that looks to me like I can just call ProcessCodeFlowAsync(code,appkey) and that's it? Don't need to use the secret at all now?

Ah! I think I have it now (in fleshing this out a bit). I've used DropboxOAuth2Helper.ProcessCodeFlowAsync(Code,APIkey,AppSecret) to date, but now I would use PKCEOAuthFlow.ProcessCodeFlow(Code,APIKey) and the rest is done automagically? The same method name in 2 different classes had me thinking it was the exact same method, and thus the confusion. I think I just need to convert to using the latter instance now?

thanks,

Donald.

Greg-DB
Dropbox Staff
3 years ago
That's correct, whether using PKCE or not, use of a redirect URI optional. Using PKCE just eliminates the use of the app secret in favor of a code challenge/verifier (which the SDK PKCE flow handles for you).
- donaldp
  Collaborator | Level 9
  3 years ago
  Thank you Greg-DB ! Glad we worked that out in the end. Yeah, wasn't clear to me that it was 2 different methods of the same name (since I was skipping all those previous steps in my process and just picking up at ProcessCodeFlowAsync. The latter instance is the helper I was looking for). No disrespect to you, but I'll mark my previous comment as the answer, because that's the key information that confused people like me need to find if they land here. 🙂 But thanks for being my rubber duck today. 😉 (and crucially also, providing me with the correct links to the doco)

About Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

5,877 PostsLatest Activity: 8 hours ago

If you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X or Facebook.

For more info on available support options for your Dropbox plan, see this article.

If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!

Forum Discussion

Unclear about PKCE and .NET SDK

About Dropbox API Support & Feedback

Related Content

pkce web auth does not work

Can't get PKCE access token uses javascript fetch request

Why Auth.getDbxCredential method returns null after PKCE authentication (Dropbox Android JDK) ?

Need help generating a pkce refresh token in a javascript PWA

Migration to new scopes necessary BEFORE migrating to PKCE and SLT

Recent Discussions

Trying to download a file, but no file is being downloaded.

Dropbox internal error occured - Resolution

How to add the entire team to team folder by api

API Upload .HEIC and convert to JPG

Invalid Folder Name with Team API