Child Item

Best way to authorize more users on my app

Hi all,

my scenario is as follows:
1) mobile app
2) app server for redirect uri

I need to allow users to access their dropbox space from my application. So each user will have to authorize his copy of the app with dropbox by inserting user and pass.
My problem is that the response that the dropbox server sends to my server has no information about the user. I do not know if it is user A or user B to authorize. How can I solve this problem?

thanks in advantage

Find more posts tagged with

API

Abuse

Comments

Greg-DB

Can you elaborate on what you mean when you "the response that the dropbox server sends to my server has no information about the user"?

You can find information on how the result is returned to the redirect URI in the OAuth 2 /authorize documentation here:

https://www.dropbox.com/developers/documentation/http/documentation#oauth2-authorize

Note that there are two "flows": the "code" flow and the "token" flow. It sounds like you may be using the "token" flow, where the result is returned on the URL "hash" or "fragment". Browsers intentionally don't send this information to the server; it is only available client-side. For server-side redirect URIs, you should use the "code" flow instead. For the "code" flow, the result is returned in URL parameters, which are sent to the server.

donatz

Hi Greg,

thanks for the reply,
Yes, I am using flow code. As documented, the dropbox server replies by sending me the code (ex: Nhiajajoiqpqi912alalala). In my project the request_uri is the application that runs on the server and not the mobile app (it must always be available for callback). But I can not connect this code to one of my users, because I do not know which of my users has made the dropbox authorization request from the mobile app, and that code is related only to a user who made the request. I do not know if my problem is clear.

Greg-DB

When using the "code" flow, Dropbox will return an "authorization code" to your redirect URI. This authorization code is specific to the Dropbox user that authorized the app. You should then exchange this authorization code for an access token using /oauth2/token. In addition to the access token, that endpoint will return the account_id of the Dropbox user that authorized it. (Additionally, you can check the account information for an access token by using it to call /2/users/get_current_account.)

While that identifies which Dropbox account was used, it doesn't identify the account in your third party app itself. Typically, you would get this from your app's own session. (I.e., whoever is signed in to your web site or app.)

If, for whatever reason though, that doesn't work in your use case, you can pass along other identifying data in the "state" parameter to /oauth2/authorize, which will be passed back by the /oauth2/authorize result to your redirect URI.

donatz

Yes Greg,

I use this solution.

@Greg-DB ha scritto:
When using the "code" flow, Dropbox will return an "authorization code" to your redirect URI. This authorization code is specific to the Dropbox user that authorized the app. You should then exchange this authorization code for an access token using /oauth2/token. In addition to the access token, that endpoint will return the account_id of the Dropbox user that authorized it. (Additionally, you can check the account information for an access token by using it to call /2/users/get_current_account.)
While that identifies which Dropbox account was used, it doesn't identify the account in your third party app itself. Typically, you would get this from your app's own session. (I.e., whoever is signed in to your web site or app.)

in this case I do not have the security that the user who requested the authorization has used the same data (mail, name etc.) in the registration to my service, so the comparison between accessID and myUserID can be done but it does not work at 100%. Do you Agree with me?

@Greg-DB ha scritto:

If, for whatever reason though, that doesn't work in your use case, you can pass along other identifying data in the "state" parameter to /oauth2/authorize, which will be passed back by the /oauth2/authorize result to your redirect URI.

I tried to pass a userid on "state" but as described here:

state String? Up to 500 bytes of arbitrary data that will be passed back to your redirect URI. This parameter should be used to protect against cross-site request forgery (CSRF). See Sections 4.4.1.8 and 4.4.2.5 of the OAuth 2.0 threat model spec.

this field is used for protect against cross-site, infact in the callback from dropbox to my server the field state is filled correctly but I don't have the code because it is hidden. does it happen to you too?

thank a lot

Greg-DB

I'm not sure I follow. What do you mean by "accessID"?

Also, can you clarify what you mean when you say " field state is filled correctly but I don't have the code because it is hidden"?

Please note that I'm happy to help with any questions or issues you have with the Dropbox API itself, but I can't offer general security guidance. If you have any app security questions, please consult with a security professional.

donatz

@Greg-DB ha scritto:
I'm not sure I follow. What do you mean by "accessID"?

Sorry I mean accound_id and not accessID

@Greg-DB ha scritto:
Also, can you clarify what you mean when you say " field state is filled correctly but I don't have the code because it is hidden"?

If in my call I use the field state, the callback does not return the code field but only the state returns to the parameters. How is it possible?ù

Thanks for you help

Greg-DB

The account_id returned by /oauth2/token is the account ID of the Dropbox account that was signed in and authorized the app, resulting in the authorization code that was used. Dropbox can't attest to the ID of the user in your app that was signed in to your app at the time. You'll need to manage that in your app's session code.

Also, the state and code values are getting returned as expected for me. I just tried this /oauth2/authorize URL (using a redirect URI hosted on Dropbox itself as an example):

https://www.dropbox.com/oauth2/authorize?client_id=aa0sxbl9gon603m&response_type=code&force_reapprove=true&state=some_state_data&redirect_uri=https://www.dropbox.com/1/oauth2/redirect_receiver

Upon authorizing the app, it redirected me to the redirect URL:

https://www.dropbox.com/1/oauth2/redirect_receiver?state=some_state_data&code=Zu9U1XOZl8QAAAAAAAOJU6PUFC6TQK4AwnoQXp8eN08

That contains the expected state value, as well as an authorization code.

If something isn't working as expected, please share the steps/code to reproduce the issue, and the error or unexpected output.

Anonymous Guy

You can use ?client_id=someid&state={base_encode('user_id')}, just put user_id, or some unique value to the state query param, and Dropbox will return you response as {code: "Some Code", state: 2}, where 2 - is User ID, as an example