How does Redirect URI in App Console work

Question

Hello,

I am developing an application where I want to integrate Dropbox with the Python SDK and later on I want to have webhooks.

I don't want my application to be publicly accessible, but I know that because of webhooks I need to have a publicly accessible URI.

How does that work with the Redirect uri when I request an access token for example? I define an URI like http://127.0.0.1:port/.. and the same URI in the application, and it works just fine. Is my application publicly accessible somehow here? Or the only time when it is really publicly accessible is only when Dropbox needs to send the webhook notification?

I am asking this because I am trying to implement the whole application on a private Git repository but the Dropbox service on a public Git repository, but I am encountering problems with csrf tokens and obviously everything needs to be in one place so it is not considered a CSRF attack.

I want to figure out if it is really neccessary to divide those two things (when implementing the basic functions like obtaining the access token and getting the files), or I need that public Git rep only for webhooks.

Greg-DB · Accepted Answer

OAuth 2 redirect URIs and webhook URIs serve different purposes, and are registered separately. They do not need to be identical, or even share a domain. You can find more information on how the OAuth app authorization works, including the use of OAuth 2 redirect URIs, in the OAuth guide. You can find more information on using webhooks in the webhooks documentation.

OAuth 2 redirect URIs don't technically need to be publicly accessible. They just need to be accessible to the user going through the OAuth 2 app authorization flow. In your example, http://127.0.0.1:port/, the redirect URI is on 127.0.0.1, which is localhost, not a public address. (To what extent your local computer/server is publicly accessible is unrelated to Dropbox itself.)

Webhook URIs, on the other hand, do need to be publicly accessible, since the Dropbox API servers need to be able to access them in order to send the webhook notifications.