We are aware of the issue with the badge emails resending to everyone, we apologise for the inconvenience - learn more here.

Forum Discussion

johannesjo's avatar
johannesjo
Helpful | Level 5
3 years ago

Using refresh token without client secret

I am using the PKCE flow for my electron based desktop & web app app and am trying to migrate for the new short lived tokens everywhere flow. I am able to get a refresh token by providing

token_access_type=offline

Now I am wondering how I can request a new accessToken without exposing my APP_SECRET (https://www.dropbox.com/developers/documentation/http/documentation#oauth2-token).

Is there a way to do so?

  • Yes, the PKCE flow in particular is a version of the OAuth 2 authorization flow that doesn't require the app secret, meant for client-side apps where an app secret can't be kept secret. It does so by using a 'code_challenge' on the /oauth2/authorize step and corresponding 'code_verifier' on the following /oauth2/token step, instead of the app secret. Likewise, it does not require the app secret when performing a refresh call. You can find more information in the OAuth Guide and authorization documentation.

     

    Specifically, the /oauth2/token request using a refresh token that was retrieved via the PKCE flow to get a new short-lived access token without using the app secret would look like this:

    curl https://api.dropbox.com/oauth2/token \
        -d refresh_token=<REFRESH_TOKEN> \
        -d grant_type=refresh_token \
        -d client_id=<APP_KEY>

     

  • Greg-DB's avatar
    Greg-DB
    Icon for Dropbox Staff rankDropbox Staff

    Yes, the PKCE flow in particular is a version of the OAuth 2 authorization flow that doesn't require the app secret, meant for client-side apps where an app secret can't be kept secret. It does so by using a 'code_challenge' on the /oauth2/authorize step and corresponding 'code_verifier' on the following /oauth2/token step, instead of the app secret. Likewise, it does not require the app secret when performing a refresh call. You can find more information in the OAuth Guide and authorization documentation.

     

    Specifically, the /oauth2/token request using a refresh token that was retrieved via the PKCE flow to get a new short-lived access token without using the app secret would look like this:

    curl https://api.dropbox.com/oauth2/token \
        -d refresh_token=<REFRESH_TOKEN> \
        -d grant_type=refresh_token \
        -d client_id=<APP_KEY>

     

    • johannesjo's avatar
      johannesjo
      Helpful | Level 5

      Thanks for the quick response. Unfortunately this leads to an `invalid_request` error (400):
      ```

      The request parameters do not match any of the supported authorization flows. Please refer to the API documentation for the correct parameters.

      ```

      • johannesjo's avatar
        johannesjo
        Helpful | Level 5

        Never mind! I had the wrong Content-Type header set. Seems to work fine now. Thank you very much!

         

        Maybe this should be added to the documentation under the examples section?

About Dropbox API Support & Feedback

Node avatar for Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

5,877 PostsLatest Activity: 12 months ago
325 Following

If you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X or Facebook.

For more info on available support options for your Dropbox plan, see this article.

If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!